Thank you Volkan and Daniel! Checked INFRA-24051[1], I know that for releasing OpenDAL to the release repository rather than the staging repository, I need to file a ticket for a new pair of credentials.
However, I don't see any attached security team approval there. Can you share the context with security team? @Daniel - prove the reproducibility of these artifacts to the security team How can I achieve this? Or what mailing list should I use to contact the security team for advice and approval? Best, tison. [1] https://issues.apache.org/jira/browse/INFRA-24051 Daniel Gruno <[email protected]> 于2023年7月3日周一 19:10写道: > On 2023-07-03 13:03, Volkan Yazıcı wrote: > > We successfully employ the very same "deploy to Maven repository from CI > > for both snapshots and releases" practice for `logging-log4j-tools` and > > `logging-log4j-transform` repositories. In essence, you need the > > following secrets: > > > > 1. `NEXUS_USER` and `NEXUS_PW` GitHub secrets to allow CI deployments > > to Nexus *snapshots* repository (INFRA-24535) > > 2. `*_STAGE_DEPLOYER_PW` and `*_STAGE_DEPLOYER_USER` GitHub secrets to > > allow CI deployments to Nexus *staging* repository (INFRA-24051) > > 3. `GPG_SECRET_KEY` GitHub secret storing the private signing key > > (INFRA-23996) > > > > I had stated earlier to INFRA > > <https://issues.apache.org/jira/browse/INFRA-23996> the approval of > Mark > > J. Cox, the VP of Security, on this deployment practice > > <https://lists.apache.org/thread/t1fbn11m70sy9df86xgzzp0fllg38p9q>. I > am > > not able to understand why this needs to be re-evaluated on a request > > basis. In particular, given Nexus is not an official ASF distribution > > medium, but merely a convenience for projects. > > It is not on a request basis, but rather project basis. We (infra) do > not have any insights or experience with regards to OpenDAL and their > release mechanisms, nor do we honestly know all the different Maven > verbiage. If this is solely for non-release snapshots, then this needs > to be communicated to us. The specific request reads as if they are > requesting access to release official packages via CI, which would (as > far as I am aware) require them to prove the reproducibility of these > artifacts to the security team. > > > > > Note that you need to make sure that the released artifacts are > > reproducible. (Again, see `logging-log4j-tools` for inspiration > > < > https://github.com/apache/logging-log4j-tools/blob/master/.github/workflows/build.yml#L80>.) > Otherwise, PMC cannot verify the integrity of a CI-produced release. > > > > > > On Mon, Jul 3, 2023 at 11:18 AM tison <[email protected] > > <mailto:[email protected]>> wrote: > > > > cc security > > > > Missed in the first place. > > > > Best, > > tison. > > > > > > tison <[email protected] <mailto:[email protected]>> 于2023年6 > > 月29日周四 22:21写道: > > > > Hi security team members, > > > > I'm tison from OpenDAL Podling[1], a Rust lib providing Java > > binding. > > > > I already verify that GitHub Actions work well for automatically > > deploying OpenDAL Java binding[2]. > > > > When integrating it with upstream (apache/incuabtor-opendal), I > > met a problem that deploying Maven projects requires NEXUS > > credentials. For my personal repo, I can config my Apache ID and > > password as secrets. For apache repos, it requires handing over > > the credentials to INFRA team member. Even I can trust the > > member, it's a bit less than awesome. > > > > Fortunately, INFRA provides two org-wise secrets NEXUS_USER > > and NEXUS_PW for doing so[3]. But it's limited to deploying > > snapshots only. INFRA member suggested me to consult security > > team for approval for such automatic deployment and they would > > help to grant related permissions if approved. > > > > Please help review the request to support ASF projects deploying > > Maven project via GitHub Actions. > > > > Best, > > tison. > > > > [1] http://github.com/apache/incubator-opendal > > <http://github.com/apache/incubator-opendal> > > [2] > > https://github.com/tisonkun/ci-opendal/actions/runs/5326589752 > > <https://github.com/tisonkun/ci-opendal/actions/runs/5326589752> > > [3] > > > https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192 > < > https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192 > > > > > >
