On Mon, 18 Jun 2018, 09:12 Stefan Bodewig, <bode...@apache.org> wrote:
> On 2018-06-17, Dominik Psenner wrote: > > > Am Fr., 15. Juni 2018 um 10:53 Uhr schrieb Stefan Bodewig < > > bode...@apache.org>: > > >> On 2018-06-13, Dominik Psenner wrote: > > >>> That is possible. I restricted access to the github token to the > log4net > >>> build job only. Stefan, would you like to try whether you can gain > access > >>> to that token? I can guide you to where you can find it off-list. > > >> Sorry, still travelling. Even if I don't manage to see the token, it is > >> only going to prove to me that I'm not skilled enough :-) > > > I'm sure that wouldn't be the case. All popular ci systems provide secret > > environment variables as a feature. Without that most devops usecases > > wouldn't be possible. > > Access to most of the CI systems used for said devops use cases is > controlled much more tightly then to our Jenkins, though. > > >> Personally I'd want to verify the contents of the archive anyway (as > >> part of vetting the relase) and don't see any problem with signing them > >> offline on my own machine at that point in time (or anybody else of us > >> doing so). To me signing and uploading the ZIPs to dist.a.o doesn't have > >> to be automated, YMMV. > > > We can agree to keep a few manual steps as long as these steps are as few > > as possible. Signing and uploading to dist.a.o and nuget can be one of > them. > > Fine with me. > > > If there are no objections I would freeze the codebase in 72h from now by > > creating a release branch from whatever commit develop points to on > > 2018-06-17 at 21:30 CEST (19:30 UTC). > > Do you know how to create the oldkeys binaries? Or will we just no > longer provide them (I could live with that). > I have no idea, yet. :-) people had a long time to adapt to newkey binaries. If they have not migrated yet, they can as well do now. Do you have preferences on the version? I opt for 2.1.0 but would be fine with 2.0.9 too.