Is there an option to trust a ci machine and automate the publish with a push of a tag after a successful vote? With this, anyone having the possibility to push a tag can forge a release with almost no effort. -- Sent from my phone. Typos are a kind gift to anyone who happens to find them.
On Mon, Aug 17, 2020, 19:21 Davyd McColl <dav...@gmail.com> wrote: > Correct, nuget publish. An option, once I'm trusted, is to allow me to > publish. My nuget login is done via Microsoft credentials for > dav...@gmail.com, and is secured by 2FA, so the only real risk is how > dodgy > I am (: > > If it's of interest to anyone, my profile is at > https://www.nuget.org/profiles/davydm > > -d > > > On August 17, 2020 18:46:50 Dominik Psenner <dpsen...@gmail.com> wrote: > > > I guess that would be a nuget publish. > > > > https://docs.microsoft.com/en-us/nuget/nuget-org/publish-a-package > > > > The credentials to that account are stored in the private repos of > logging > > pmc. Most members of the pmc should be in the set of recipients with > their > > gpg key. > > -- > > Sent from my phone. Typos are a kind gift to anyone who happens to find > > them. > > > > On Mon, Aug 17, 2020, 08:56 Davyd McColl <dav...@gmail.com> wrote: > > > >> Great! > >> > >> How do we get the nupkg to nuget.org? This is the final step that most > >> users are going to be interested in. > >> > >> Having a look at what's at the url you posted, I have ideas on how to > >> streamline future releases, so the next time I'm in that area, I'm > >> definitely implementing those ideas. I don't see changes to the Release > >> Notes area -- if I were to try to streamline that into a release, would > a > >> CHANGELOG file be useful? Or is there a better way? > >> > >> -d > >> On 2020/08/16 23:26:07, Matt Sicker <boa...@gmail.com> wrote: > >> I committed them to dist already. I don't know how long we should wait > >> for any mirroring to catch up, though on my end, I see updated > >> artifacts on https://downloads.apache.org/logging/log4net/ other than > >> the release notes. > >> > >> On Sun, 16 Aug 2020 at 15:09, Ralph Goers wrote: > >> > > >> > +1 to that! > >> > > >> > Let me know when these are published. I can update the web site to > >> reflect that it is no longer dormant. > >> > > >> > Ralph > >> > > >> > > On Aug 16, 2020, at 11:54 AM, Matt Sicker wrote: > >> > > > >> > > Thanks so much for your help in releasing this! > >> > > > >> > > On Sun, 16 Aug 2020 at 13:53, Davyd McColl wrote: > >> > >> > >> > >> I'll make changes to the automated build to affect all changes you > >> have > >> > >> made (and perhaps will make) automatically to future releases for > the > >> next > >> > >> release. Apologies for making this more difficult than it needs to > be > >> (: > >> > >> > >> > >> -d > >> > >> > >> > >> > >> > >> On August 16, 2020 20:37:01 Matt Sicker wrote: > >> > >> > >> > >>> Just a simple copy of the LICENSE and NOTICE file into the > binaries > >> > >>> zip, and a rename of the files to include "apache" in the name. > I've > >> > >>> uploaded them to dist along with updating the KEYS file for > log4net, > >> > >>> though that should probably be merged together with the > project-wide > >> > >>> KEYS file in the parent directory. There's an outdated > README.html in > >> > >>> the directory still containing the old release notes, but we can > >> > >>> address that next. > >> > >>> > >> > >>> On Sun, 16 Aug 2020 at 13:12, Matt Sicker wrote: > >> > >>>> > >> > >>>> One issue I found in one of the artifacts that I can address > before > >> > >>>> uploading since it wasn't signed is the binaries zip is missing > the > >> > >>>> LICENSE file. I'm not sure if there's a standard way to include > that > >> > >>>> in the nupkg file, but I did see that in its metadata, it > explicitly > >> > >>>> says the code is Apache2 licensed at least. > >> > >>>> > >> > >>>> On Sun, 16 Aug 2020 at 13:03, Matt Sicker wrote: > >> > >>>>> > >> > >>>>> I'll sign and publish the artifacts today. > >> > >>>>> > >> > >>>>> On Mon, 3 Aug 2020 at 17:43, Ralph Goers wrote: > >> > >>>>>> > >> > >>>>>> Thanks Remko. That makes 3 +1 votes from PMC members. > >> > >>>>>> > >> > >>>>>> Ralph > >> > >>>>>> > >> > >>>>>>> On Aug 3, 2020, at 2:12 PM, Remko Popma wrote: > >> > >>>>>>> > >> > >>>>>>> +1 Remko. > >> > >>>>>>> > >> > >>>>>>> On Tue, Aug 4, 2020 at 1:04 AM Matt Sicker wrote: > >> > >>>>>>> > >> > >>>>>>>> +1 from me. We can handle the release signing afterwards as > >> Ralph > >> > >>>> suggests. > >> > >>>>>>>> > >> > >>>>>>>> On Mon, 3 Aug 2020 at 10:30, Ralph Goers > >> > >>>>>>>> wrote: > >> > >>>>>>>>> > >> > >>>>>>>>> Can other PMC members please review this? It has been more > >> than 72 > >> > >>>>>>>> hours. > >> > >>>>>>>>> > >> > >>>>>>>>> Ralph > >> > >>>>>>>>> > >> > >>>>>>>>>> On Jul 30, 2020, at 11:17 PM, Davyd McColl > >> > >>>>>>>> wrote: > >> > >>>>>>>>>> > >> > >>>>>>>>>> Hi all, I've never done this before, so bear with me if I > >> fluff it: > >> > >>>>>>>>>> > >> > >>>>>>>>>> This is a proposed vote to release log4net 2.0.9 from PR > >> > >>>>>>>> https://github.com/apache/logging-log4net/pull/61 > >> > >>>>>>>>>> > >> > >>>>>>>>>> Release artifacts (including source zip) are at: > >> > >>>>>>>> > >> > >>>> > >> > https://ci.appveyor.com/project/fluffynuts/logging-log4net/builds/34063235/artifacts > >> > >>>>>>>>>> Source can be checked out from > >> > >>>>>>>> > https://github.com/fluffynuts/logging-log4net/logging-log4net, > >> tag rel/ > >> > >>>>>>>> 2.0.9. I can't push tags to the upstream, but this tag is > >> exactly the > >> > >>>>>>>> same commit as the last in the PR mentioned above, which was > >> > >>>> accepted into > >> > >>>>>>>> master a few days ago. > >> > >>>>>>>>>> > >> > >>>>>>>>>> Please check out the artifacts & if everyone is ok with > >> what's there, > >> > >>>>>>>> please can someone with the rights to publish to nuget do so. > >> > >>>>>>>>>> > >> > >>>>>>>>>> Once I've seen how this process works, I'd like to tackle > the > >> CVE that > >> > >>>>>>>> has been brought up on this list more than once -- it's a > >> simple change > >> > >>>>>>>> which was already committed to the develop branch some time > >> ago, so > >> > >>>> there > >> > >>>>>>>> are a couple of options here: > >> > >>>>>>>>>> 1. cherry-pick that commit & do a 2.0.10 release pronto, > with > >> only > >> > >>>>>>>> that change > >> > >>>>>>>>>> 2. trawl the develop branch to see what else was already > >> solved in > >> > >>>>>>>> there, and get that out as 2.0.10, and perhaps close out that > >> branch to > >> > >>>>>>>> avoid future confusion. > >> > >>>>>>>>>> > >> > >>>>>>>>>> Thanks for your time > >> > >>>>>>>>>> -d > >> > >>>>>>>>> > >> > >>>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> > >> > >>>>>>>> -- > >> > >>>>>>>> Matt Sicker > >> > >>>>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>> > >> > >>>>> > >> > >>>>> -- > >> > >>>>> Matt Sicker > >> > >>>> > >> > >>>> > >> > >>>> > >> > >>>> -- > >> > >>>> Matt Sicker > >> > >>> > >> > >>> > >> > >>> > >> > >>> -- > >> > >>> Matt Sicker > >> > > > >> > > > >> > > > >> > > -- > >> > > Matt Sicker > >> > > > >> > > >> > > >> > >> > >> -- > >> Matt Sicker > >> >
