commits  

Messages by Thread

• (tooling-trusted-releases) branch main updated: Binding vote noted in email #616 sbp
• (tooling-trusted-releases) branch file_type_detection created (now aa3364a) arm
• (tooling-trusted-releases) branch promote_gha updated: #344 - added some extra information arm
• (tooling-trusted-releases) branch promote_gha created (now 3376b5a) arm
  • (tooling-trusted-releases) 01/01: #344 - starter for instructions on how to upload via GitHub Actions. Needs committee filtering. arm
• (tooling-trusted-releases) branch main updated (d277098 -> c3ffe8e) sbp
• (tooling-trusted-releases) branch sbp updated: Wait for asyncssh cleanup tasks to run, to avoid warnings sbp
• (tooling-trusted-releases) branch main updated (f0ae28e -> d277098) sbp
• (tooling-trusted-releases) branch sbp updated (0580960 -> d277098) sbp
  • (tooling-trusted-releases) 01/01: Show pip version in the analysis workflow sbp
• (tooling-trusted-releases) branch main updated: Bump actions/setup-python from 6.1.0 to 6.2.0 sbp
• (tooling-trusted-releases) branch dependabot/github_actions/actions/setup-python-6.2.0 deleted (was 2bf25e3) sbp
• (tooling-trusted-releases) branch dependabot/github_actions/actions/setup-python-6.2.0 created (now 2bf25e3) github-bot
• (tooling-trusted-releases) branch binding-vote-email-616 updated (f8f0bad -> dde702b) akm
• (tooling-trusted-releases) branch main updated: Temporarily ignore CVE-2026-1703 in pip-audit until pip 26.0 available akm
• (tooling-trusted-releases) branch binding-vote-email-616 updated (5960092 -> f8f0bad) akm
• (tooling-trusted-releases) branch binding-vote-email-616 updated (cb6b976 -> 5960092) akm
  • (tooling-trusted-releases) 01/01: Binding vote noted in email #616 akm
• (tooling-trusted-releases) branch binding-vote-email-616 created (now cb6b976) akm
  • (tooling-trusted-releases) 01/01: Binding vote noted in email #616 akm
• (tooling-trusted-releases) branch main updated (af7afe8 -> 0580960) sbp
• (tooling-trusted-releases) branch sbp updated: Use a strict model for Quart cookie session data sbp
• (tooling-releases-client) branch dependabot/github_actions/astral-sh/setup-uv-7.2.0 deleted (was 4c3b0d8) github-bot
• (tooling-releases-client) branch dependabot/github_actions/actions/upload-artifact-6.0.0 deleted (was e7d291d) sbp
• (tooling-releases-client) branch dependabot/github_actions/actions/checkout-6.0.2 deleted (was 718ea35) sbp
• (tooling-releases-client) branch main updated: Bump actions/upload-artifact from 4.6.2 to 6.0.0 sbp
• (tooling-releases-client) branch main updated: Bump actions/checkout from 4.3.0 to 6.0.2 sbp
• (tooling-releases-client) branch dependabot/github_actions/actions/setup-python-6.2.0 deleted (was 925302f) sbp
• (tooling-releases-client) branch main updated: Bump actions/setup-python from 6.1.0 to 6.2.0 sbp
• (tooling-releases-client) branch dependabot/github_actions/actions/setup-python-6.2.0 created (now 925302f) github-bot
• (tooling-trusted-releases) branch main updated (521e6e1 -> af7afe8) sbp
• (tooling-trusted-releases) branch sbp updated: Update the Playwright test containers sbp
• (tooling-trusted-releases) branch main updated (933c601 -> 521e6e1) sbp
• (tooling-trusted-releases) branch sbp updated: Allow JSON logs to be configured and fix traceback logging sbp
• (tooling-trusted-releases) branch main updated (1e83287 -> 933c601) sbp
• (tooling-trusted-releases) branch sbp updated: Add a test route to raise an error, and log unhandled exceptions in JSON sbp
• (tooling-trusted-releases) branch main updated (c78b269 -> 1e83287) sbp
• (tooling-trusted-releases) branch sbp updated: Fix unparenthesized subexpressions sbp
• (tooling-trusted-releases) branch main updated (790ca41 -> c78b269) sbp
• (tooling-trusted-releases) branch sbp updated: Add documentation for users about checks sbp
• (tooling-trusted-releases) branch sbp updated (e7db0eb -> 790ca41) sbp
• (tooling-trusted-releases) branch main updated (935f617 -> 790ca41) sbp
  • (tooling-trusted-releases) 01/02: Detect and allow package roots from npm pack output sbp
  • (tooling-trusted-releases) 02/02: Add a release policy setting for the upstream branch in compose sbp
• (tooling-trusted-releases) branch sbp updated (7233089 -> e7db0eb) sbp
  • (tooling-trusted-releases) 01/03: Bump biomejs/setup-biome from 2.6.0 to 2.7.0 sbp
  • (tooling-trusted-releases) 03/03: Add a release policy setting for the upstream branch in compose sbp
  • (tooling-trusted-releases) 02/03: OF - to trigger retest sbp
• (tooling-trusted-releases) branch main updated (3beae5a -> 935f617) sbp
  • (tooling-trusted-releases) 01/02: Bump biomejs/setup-biome from 2.6.0 to 2.7.0 sbp
  • (tooling-trusted-releases) 02/02: OF - to trigger retest sbp
• (tooling-trusted-releases) branch dependabot/github_actions/biomejs/setup-biome-2.7.0 deleted (was 997126a) sbp
• (tooling-trusted-releases) branch dependabot/github_actions/biomejs/setup-biome-2.7.0 updated (a860d7c -> 997126a) wave
• (tooling-trusted-releases) branch sbp updated: Detect and allow package roots from npm pack output sbp
• (tooling-trusted-releases) branch main updated (b1d31df -> 3beae5a) sbp
• (tooling-trusted-releases) branch sbp updated (65d574c -> 3beae5a) sbp
  • (tooling-trusted-releases) 01/01: Fix some documentation pages and document the convention sbp
• (tooling-trusted-releases) branch main updated: Fix: Mitigate CRLF injection in email headers (Issue #603) sbp
• (tooling-trusted-releases) branch main updated: #216 - Handle correct exceptions now distributions is rewired. Don't allow retries of manual record. arm
• (tooling-trusted-releases) branch main updated (dcd2a63 -> 356a7fc) sbp
• (tooling-trusted-releases) branch sbp updated: Fix some documentation pages and document the convention sbp
• (tooling-trusted-releases) branch sbp updated: Update the documentation about check result ignores sbp
• (tooling-trusted-releases) branch sbp updated: Add tests for check result ignores sbp
• (tooling-trusted-releases) branch sbp updated (9664bcb -> a52d17f) sbp
  • (tooling-trusted-releases) 01/01: Associate check result ignores with projects not committees sbp
• (tooling-trusted-releases) branch main updated: #216 - Make sure staging "upgrades" still set pending arm
• (tooling-trusted-releases) branch main updated: #216 - Include pending status in blocking announce arm
• (tooling-trusted-releases) branch main updated (fe4f76a -> 937a85b) arm
• (tooling-trusted-releases) branch main updated: #216 - Try to return an appropriate message/error when distribution fails first time arm
• (tooling-trusted-releases) branch main updated: Change string quotes in COMMITTERS_MAY_RELEASE_COMMITTEES wave
• (tooling-trusted-releases) branch main updated: Fix type hint for COMMITTERS_MAY_RELEASE_COMMITTEES wave
• (tooling-trusted-releases) branch main updated: Update release committee configurations and comments for #523 wave
• (tooling-trusted-releases) branch main updated (e1ad640 -> 9664bcb) sbp
• (tooling-trusted-releases) branch sbp updated: Store the RAT command as a string on results, and add the scan directory sbp
• (tooling-trusted-releases) branch sbp updated: Add a form for admins to run checks again without using the cache sbp
• (tooling-trusted-releases) branch sbp updated: Ignore certain suffixes on archive basenames when searching for a root sbp
• (tooling-trusted-releases) branch main updated (a00a0af -> e1ad640) sbp
• (tooling-trusted-releases) branch sbp updated: Document check ignores sbp
• (tooling-trusted-releases) branch main updated (8ed69eb -> a00a0af) sbp
• (tooling-trusted-releases) branch main updated (66e7823 -> 8ed69eb) arm
• (tooling-trusted-releases) branch sbp updated (ca978b9 -> a00a0af) sbp
  • (tooling-trusted-releases) 01/01: Remove the commit target from the Makefile sbp
• (tooling-trusted-releases) branch pending_dist_changes created (now 8ed69eb) arm
  • (tooling-trusted-releases) 02/02: #216 - Scheduled task for pending distributions, add created_by to dist table. arm
  • (tooling-trusted-releases) 01/02: #216 - Add pending distribution status and background task to check it. Refactor some of the distribution logic out to shared module and some of shared module to precent circular references. arm
• (tooling-trusted-releases) branch main updated: Use Hyperscan for ignore patterns to avoid backtracking attacks sbp
• (tooling-trusted-releases) branch main updated: Add hyperscan and update dependencies sbp
• (tooling-trusted-releases) branch main updated (fa62aea -> ee6ef4e) sbp
  • (tooling-trusted-releases) 01/01: Use the Tooling project as a committee proxy in ASFQuart session data sbp
• (tooling-trusted-releases) branch main updated: Use the Tooling project as a committee proxy in ASFQuart session data sbp
• (tooling-trusted-releases) branch main updated (3e43462 -> 8c52b4c) sbp
• (tooling-trusted-releases) branch main updated: Add google-re2 and update dependencies sbp
• (tooling-trusted-releases) branch main updated: Note that ZIP extraction is not supported in the tarzip module sbp
• (tooling-trusted-releases) branch main updated: Ensure archive members limit can be disabled, and catch more widely sbp
• (tooling-trusted-releases) branch main updated: #598 - Check for account ban before issuing JWT arm
• (tooling-trusted-releases) branch main updated: Add unit tests for the archive member limit code sbp
• (tooling-trusted-releases) branch main updated: Archive member count limit #604 sbp
• (tooling-trusted-releases) branch archive-member-count-604 deleted (was b728116) sbp
• (tooling-trusted-releases) branch main updated: Fix problems with the code and tests for creating secure sessions sbp
• (tooling-trusted-releases) branch main updated: #596 - security documentation updated arm
• (tooling-trusted-releases) branch dependabot/github_actions/actions/checkout-6.0.2 deleted (was b0feef3) sbp
• (tooling-trusted-releases) branch main updated: Bump actions/checkout from 6.0.1 to 6.0.2 sbp
• (tooling-trusted-releases) branch dependabot/github_actions/actions/cache-5.0.2 deleted (was 09e592d) sbp
• (tooling-trusted-releases) branch main updated: Bump actions/cache from 5.0.1 to 5.0.2 sbp
• (tooling-trusted-releases) branch main updated: #596 - finite session lifetime by config - 72 hour default. arm
• (tooling-trusted-releases) branch main updated: feat(security): centralize secure HTTP sessions and enforce TLS 1.2+ (#548) sbp
• (tooling-trusted-releases) branch main updated: #508 - only consider non-staging distributions for blocking announce arm
• (tooling-actions) branch main updated: Align error handling and fix store name in validation arm
• (tooling-actions) branch main updated: Add suport for maven errors to production version, undo local testing changes to stg arm
• (tooling-trusted-releases) branch main updated: Use project release policy for tags arm
  • (tooling-trusted-releases) branch main updated: Use project release policy for tags arm
• (tooling-actions) branch main updated: Add artificial wait arm
• (tooling-trusted-releases) branch main updated: #598 - Check for account existence before issuing JWT arm
• (tooling-trusted-releases) branch main updated (df2ee0f -> 4421595) arm
• (tooling-actions) branch main updated: Allow insecure for testing arm
• (tooling-actions) branch main updated: Remove test temporarily arm
• (tooling-actions) branch main updated (8fb39c1 -> a51c23e) arm
  • (tooling-actions) 02/03: Update stg distribution to use tokens arm
  • (tooling-actions) 03/03: support for changing host and port arm
  • (tooling-actions) 01/03: Test workflow for new tokens arm
• (tooling-trusted-releases) branch main updated: Report on scheduled tasks as well as recent arm
• (tooling-trusted-releases) branch archive-member-count-604 created (now b728116) akm
  • (tooling-trusted-releases) 01/01: Archive member count limit #604 akm
• (tooling-trusted-releases) branch main updated: Exclude Litestream tables from Alembic sbp
• (tooling-trusted-releases) branch main updated: Filter out SSL shutdown timeout errors from asyncio in Hypercorn sbp
• (tooling-trusted-releases) branch main updated (529347d -> ba6aceb) sbp
  • (tooling-trusted-releases) 01/01: Clear a session before setting an impersonated session sbp
• (tooling-trusted-releases) branch main updated: Clear a session before setting an impersonated session sbp
• (tooling-trusted-releases) branch main updated: Validate release phase on manual resolution sbp
• (tooling-trusted-releases) branch main updated: Fix some problems with the admin script to import keys sbp
• (tooling-trusted-releases) branch main updated: Try the admin cache file in synchronous contexts too sbp
• (tooling-actions) branch main updated (995c85d -> 8fb39c1) arm
• (tooling-trusted-releases) branch main updated: #594 - Validate that OIDC is being used for endpoints where asf_uid is specifiable. arm
• (tooling-trusted-releases) branch main updated: #508 - block announcing through any channel until tagged distributions have been recorded arm
• (tooling-trusted-releases) branch jwtoken_multiple_sources updated: #504 - Add new ATR token to github workflows and validate arm
• (tooling-actions) branch main updated: Update stg distribution to use tokens arm
• (tooling-actions) branch main updated (e264cab -> b0cc433) arm
  • (tooling-actions) 01/01: Test workflow for new tokens arm
• (tooling-actions) branch main updated (02c7180 -> e264cab) arm
  • (tooling-actions) 01/01: Test workflow for new tokens arm
• (tooling-actions) branch main updated (4e89fde -> 02c7180) arm
  • (tooling-actions) 01/01: Test workflow for new tokens arm
• (tooling-actions) branch main updated (2d7ce58 -> 4e89fde) arm
  • (tooling-actions) 01/01: Test workflow for new tokens arm
• (tooling-actions) branch main updated: Test workflow for new tokens arm
• (tooling-trusted-releases) branch jwtoken_multiple_sources updated (aebbd92 -> 4467902) arm
  • (tooling-trusted-releases) 02/02: #504 - don't get UID from token if you take it from args arm
  • (tooling-trusted-releases) 01/02: #504 - enable jwtoken.require to take arguments, check tokens from multiple locations and process claims. Update asf_uid handling in API arm
• (tooling-trusted-releases) branch dependabot/github_actions/actions/cache-5.0.2 created (now 09e592d) github-bot
• (tooling-trusted-releases) branch dependabot/github_actions/actions/checkout-6.0.2 created (now b0feef3) github-bot
• (tooling-trusted-releases) branch dependabot/github_actions/biomejs/setup-biome-2.7.0 created (now a860d7c) github-bot
• (tooling-trusted-releases) branch main updated: Document ADMIN_USERS_ADDITIONAL sbp
  • (tooling-trusted-releases) branch main updated: Document ADMIN_USERS_ADDITIONAL wave
• (tooling-trusted-releases) branch jwtoken_multiple_sources updated (329148e -> aebbd92) sbp
• (tooling-trusted-releases) branch jwtoken_multiple_sources updated: Document ADMIN_USERS_ADDITIONAL sbp
• (tooling-trusted-releases) branch main updated: #550 - re-enable worker RLIMITs and set RAT Java args and CycloneDX .NET environment to git within them arm
• (tooling-trusted-releases) branch main updated: Fix issue with SBOM OSV scan models, and allow scan of jar files. arm
• (tooling-trusted-releases) branch main updated: Catch all relevant errors when accessing the admin cache in workers sbp
• (tooling-trusted-releases) branch jwtoken_multiple_sources created (now aebbd92) arm
  • (tooling-trusted-releases) 02/02: #504 - don't get UID from token if you take it from args arm
  • (tooling-trusted-releases) 01/02: #504 - enable jwtoken.require to take arguments, check tokens from multiple locations and process claims. Update asf_uid handling in API arm
• (tooling-trusted-releases) branch main updated: Cleaning up notes; fixes #533 akm
• (tooling-trusted-releases) branch main updated: Prevent events from being double encoded in the audit logs sbp
• (tooling-trusted-releases) branch main updated: Fix audit logging when the storage interface is used in tasks sbp
• (tooling-trusted-releases) branch main updated: Move most logging paraphernalia to a new loggers module sbp
• (tooling-trusted-releases) branch main updated: Document how to resolve a known problem with pip-audit sbp
• (tooling-trusted-releases) branch main updated: Fix some problems with file tag YAML validation sbp
• (tooling-trusted-releases) branch main updated: Add a property to get the admin status of committer sessions sbp
• (tooling-trusted-releases) branch main updated: Move request logging for #549 into file. Reduce docker-compose healthchecks after startup. Log level configurable. arm
• (tooling-trusted-releases) branch main updated: Use the LDAP admins cache when checking whether the user is an admin sbp
• (tooling-trusted-releases) branch main updated: Cache admins from LDAP using a server task sbp
• (tooling-trusted-releases) branch main updated: Add a cache module with admin functions, and tests sbp
• (tooling-trusted-releases) branch main updated: Fix a couple of small documentation issues sbp
• (tooling-trusted-releases) branch main updated: Fixes #555 sbp
• (tooling-trusted-releases) branch security-docs-555 deleted (was 183517d) sbp
• (tooling-trusted-releases) branch main updated: Only change perms if necessary sbp
• (tooling-trusted-releases) branch main updated (8d7a9d7 -> 809056b) sbp
  • (tooling-trusted-releases) 01/01: Add an LDAP search that discovers admin users sbp
• (tooling-trusted-releases) branch main updated: Add an LDAP search that discovers admin users sbp
• (tooling-trusted-releases) branch main updated: docs: document generated source file detection and exclusions (Fixes #477) sbp
• (tooling-trusted-releases) branch main updated: #535 - Add rate limiting on PAT and JWT endpoints arm
• (tooling-trusted-releases) branch main updated: Don't set up rate limits in testing arm
• (tooling-trusted-releases) branch main updated: #535 - Add specific rate limits to security-focused endpoints. Make sure user ID is logged in more cases (including 429s) arm
• (tooling-trusted-releases) branch main updated: #535 - Only proxyfix in non-local arm
• (tooling-trusted-releases) branch main updated: Log useragents arm
• (tooling-trusted-releases) branch main updated (b63b2e6 -> 2469e10) arm
• (tooling-trusted-releases) branch rate_limiting created (now 2469e10) arm
  • (tooling-trusted-releases) 01/01: #535 - Add global and API rate limits and proxyfix middleware. arm
• (tooling-trusted-releases) branch main updated (77bb20b -> b63b2e6) arm
• (tooling-trusted-releases) branch main updated (61a012c -> 77bb20b) sbp
• (tooling-trusted-releases) branch main updated: Document how to contribute documentation sbp
• (tooling-trusted-releases) branch main updated: Remove the outdated implementation plan sbp
• (tooling-trusted-releases) branch security-docs-555 updated (a780a74 -> 183517d) akm
• (tooling-trusted-releases) branch storage-interface-error-messages-redux deleted (was 16191b5) sbp
• (tooling-trusted-releases) branch storage-interface-error-messages-redux created (now 16191b5) akm
  • (tooling-trusted-releases) 01/02: Update storage interface error messages akm
  • (tooling-trusted-releases) 02/02: Update new code akm
• (tooling-trusted-releases) branch main updated: Fixes #486 sbp
• (tooling-trusted-releases) branch improve-documentation-486 deleted (was 3d6ff6b) sbp
• (tooling-trusted-releases) branch improve-documentation-486 updated (559986e -> 3d6ff6b) akm

• Earlier messages
• Later messages