On 2018-06-17, Dominik Psenner wrote: > Am Fr., 15. Juni 2018 um 10:53 Uhr schrieb Stefan Bodewig < > bode...@apache.org>:
>> On 2018-06-13, Dominik Psenner wrote: >>> That is possible. I restricted access to the github token to the log4net >>> build job only. Stefan, would you like to try whether you can gain access >>> to that token? I can guide you to where you can find it off-list. >> Sorry, still travelling. Even if I don't manage to see the token, it is >> only going to prove to me that I'm not skilled enough :-) > I'm sure that wouldn't be the case. All popular ci systems provide secret > environment variables as a feature. Without that most devops usecases > wouldn't be possible. Access to most of the CI systems used for said devops use cases is controlled much more tightly then to our Jenkins, though. >> Personally I'd want to verify the contents of the archive anyway (as >> part of vetting the relase) and don't see any problem with signing them >> offline on my own machine at that point in time (or anybody else of us >> doing so). To me signing and uploading the ZIPs to dist.a.o doesn't have >> to be automated, YMMV. > We can agree to keep a few manual steps as long as these steps are as few > as possible. Signing and uploading to dist.a.o and nuget can be one of them. Fine with me. > If there are no objections I would freeze the codebase in 72h from now by > creating a release branch from whatever commit develop points to on > 2018-06-17 at 21:30 CEST (19:30 UTC). Do you know how to create the oldkeys binaries? Or will we just no longer provide them (I could live with that). Stefan
