Also, in case someone brings it up, there's an ongoing relevant discussion on the builds@a.o list on automating releases, which includes lots of good thoughts on the topic.
https://lists.apache.org/thread.html/af4b2a5d73fde5ab76a376549f645404da7865a8b002145435b2359c@%3Cbuilds.apache.org%3E Michael On 1/7/19 3:32 PM, Michael Shuler wrote: > To-do items that might further the goal of getting more people involved > in releases, here are a couple tickets on this: > > https://issues.apache.org/jira/browse/CASSANDRA-14962 > https://issues.apache.org/jira/browse/CASSANDRA-14963 > > #14962 is really a "we're doing it wrong" ticket on release artifacts. > There are also some comments in the details of > http://cassandra.apache.org/doc/latest/development/release_process.html > that could be streamlined and include fixing the steps, temporary upload > problems, etc. Work on temporary uploads for staging the artifacts could > be useful for #14963. > > Michael > > On 1/7/19 3:15 PM, Michael Shuler wrote: >> Mick and I have discussed this previously, but I don't recall if it was >> email or irc. Apologies if I was unable to describe the problem to a >> point of general understanding. >> >> To reiterate the problem, changing gpg signature keys screws our debian >> and redhat package repositories for all users. Tarballs are not >> installed with a client that checks signatures in a known trust >> database. When gpg key signer changes, users need to modify their trust >> on every node, importing new key(s), in order for packages to >> install/upgrade with apt or yum. >> >> I don't understand how adding keys changes release frequency. Did >> someone request a release to be made or are we on some assumed date >> interval? >> >> Michael >> >> On 1/7/19 2:30 PM, Jonathan Haddad wrote: >>> That's a good point. Looking at the ASF docs I had assumed the release >>> manager was per-project, but on closer inspection it appears to be >>> per-release. You're right, it does say that it can be any committer. >>> >>> http://www.apache.org/dev/release-publishing.html#release_manager >>> >>> We definitely need more frequent releases, if this is the first step >>> towards that goal, I think it's worth it. >>> >>> Glad you brought this up! >>> Jon >>> >>> >>> On Mon, Jan 7, 2019 at 11:58 AM Mick Semb Wever <m...@apache.org> wrote: >>> >>>> >>>> >>>>> I don't see any reason to have any keys in there, except from release >>>>> managers who are signing releases. >>>> >>>> >>>> Shouldn't any PMC (or committer) should be able to be a release manager? >>>> >>>> The release process should be reliable and reproducible enough to be safe >>>> for rotating release managers every release. I would have thought security >>>> concerns were better addressed by a more tested process? And AFAIK no other >>>> asf projects are as restrictive on who can be the release manager role (but >>>> i've only checked a few projects). >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >>>> For additional commands, e-mail: dev-h...@cassandra.apache.org >>>> >>>> >>> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
