Am Fr., 15. Juni 2018 um 10:53 Uhr schrieb Stefan Bodewig < bode...@apache.org>:
> On 2018-06-13, Dominik Psenner wrote: > > > That is possible. I restricted access to the github token to the log4net > > build job only. Stefan, would you like to try whether you can gain access > > to that token? I can guide you to where you can find it off-list. > > Sorry, still travelling. Even if I don't manage to see the token, it is > only going to prove to me that I'm not skilled enough :-) > I'm sure that wouldn't be the case. All popular ci systems provide secret environment variables as a feature. Without that most devops usecases wouldn't be possible. > > Personally I'd want to verify the contents of the archive anyway (as > part of vetting the relase) and don't see any problem with signing them > offline on my own machine at that point in time (or anybody else of us > doing so). To me signing and uploading the ZIPs to dist.a.o doesn't have > to be automated, YMMV. > We can agree to keep a few manual steps as long as these steps are as few as possible. Signing and uploading to dist.a.o and nuget can be one of them. If there are no objections I would freeze the codebase in 72h from now by creating a release branch from whatever commit develop points to on 2018-06-17 at 21:30 CEST (19:30 UTC). I would then like to proceed with the release and I hope that more people will join in and test the binaries while we prepare the release. Thinking about what Gary did lately with log4j auditing, it may be a good idea to start one or more github projects that implement sample usecases for log4net. Everyone could then use those projects to do a thorough testing of a release. -- Dominik Psenner