On 2023-07-19 11:45, tison wrote:
Hi Daniel,
Automating this process *requires* a
reproducible build process that has been approved by the ASF security
team
It sseems the security team has limited bandwidth to process such a review
request. I make the request to secur...@apache.org for OpenDAL (incubating)
and the team member tells me they are working on other items now.
This is of course understandable, while I'm wondering if we have a JIRA
project to track this request instead of I keep an eye on the security
mailing list which is quite busy for other threads. Also, I don't think
such a request needs to be private and secur...@apache.org is private.
Briefly, I'm not sure if we have a public tracking place for requests
on automating
releases.
Best,
tison.
I think the question of resources here might be better suited for the
board. I have neither the experience nor authority on this matter :)
Daniel Gruno <humbed...@apache.org> 于2023年7月19日周三 17:28写道:
On 2023-07-19 11:21, Francis Chuang wrote:
Is infra happy to explore the case where release artifacts are
automatically uploaded via CI?
The exploration is already ongoing.
This would go a long way towards automating our release process as
asking RMs to download the release artifacts from GitHub and uploading them
manually is a bit clunky.
I do want to point out one thing that is a general requirement and not
specific to this email or project: Automating this process *requires* a
reproducible build process that has been approved by the ASF security
team. That is the first place projects should look when they decide to
explore this route, and is a requirement before infra will even
entertain the notion of automated artifacts for a project.
On 2023/07/18 19:55:00 Volkan Yazıcı wrote:
Abstract: Signing release artifacts using an automated release
infrastructure has been officially approved by LEGAL. This enables
projects to sign artifacts using, say, GitHub Actions.
I have been trying to overhaul the Log4j release process and make it
as frictionless as possible since last year. As a part of that effort,
I wanted to sign artifacts in CI during deployment and in a
`members@a.o` thread[0] I explained how one can do that securely with
the help of Infra. That was in December 2022. It has been a long,
rough journey, but we succeeded. In this PR[1], Legal has updated the
release policy to reflect that this process is officially allowed.
Further, Infra put together guides[2][3] to assist projects. Logging
Services PMC has already successfully performed 4 Log4j Tools releases
using this approach, see its release process[4] for a demonstration.
[0] (members only!)
https://lists.apache.org/thread/1o12mkjrhyl45f9pof94pskg55vhs61n
[1] https://github.com/apache/www-site/pull/235
[2] https://infra.apache.org/release-publishing.html#signing
[3]
https://infra.apache.org/release-signing.html#automated-release-signing
[4]
https://github.com/apache/logging-log4j-tools/blob/master/RELEASING.adoc
# F.A.Q.
## Why shall a project be interested in this?
It greatly simplifies the release process. See Log4j Tools release
process[4], probably the simplest among all Java-based ASF projects.
## How can a project get started?
1. Make sure your project builds are reproducible (otherwise there is
no way PMC can verify the integrity of CI-produced and -signed
artifacts)
2. Clone and adapt INFRA-23996 (GPG keys in GitHub secrets)
3. Clone and adapt INFRA-23974 (Nexus creds. in GitHub secrets for
snapshot deployments)
4. Clone and adapt INFRA-24051 (Nexus creds. in GitHub secrets for
staging deployments)
You might also want to check this[5] GitHub Action workflow for
inspiration.
[5]
https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml
## Does the "automated release infrastructure" (CI) perform the full
release?
No. CI *only* uploads signed artifacts to Nexus. The release manager
(RM) still needs to copy the CI-generated files to SVN, PMC needs to
vote, and, upon consensus, RM needs to "close" the release in Nexus
and so on.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@community.apache.org
For additional commands, e-mail: dev-h...@community.apache.org
