> The requirement on building locally is more than implanting mutable tags and reproducible builds, although they are worthy things to consider/implement. Please see [1]
Thanks for the response! This is indeed correct, however I believe that Arnout is actually helping to solve the owner controlled hardware point in a different way. Afaik having reproducible builds + SBOM is a way to technically address the same concerns that owner controlled hardware does but I would let him respond on this in more detail (iirc he actually brought this up some time ago). Irrespective this is going to be a long journey (if we get there) and hence its also not something that we are pushing for as part of incubation. On Tue, May 30, 2023 at 11:49 AM Justin Mclean <[email protected]> wrote: > Hi, > > The requirement on building locally is more than implanting mutable tags > and reproducible builds, although they are worthy things to > consider/implement. Please see [1] > > Kind Regards, > Justin > > 1. > https://www.apache.org/legal/release-policy.html#owned-controlled-hardware > > > On 30 May 2023, at 6:33 pm, Matthew Benedict de Detrich < > [email protected]> wrote: > > > > I would also like to make an additional point here which is that this is > > another important step in hopefully being able at some point in the > future > > to use github actions CI to produce release artifacts rather than having > to > > build on a local machine. Doing this currently does not satisfy ASF > policy > > due to various contention points and mutable git tags happens to be one > of > > them (i.e. triggering the CI with a git tag is problematic because of > > mutability since anyone can just delete/edit the git tag later on which > > means that it cannot be confidently used as a marking point for a > release). > > > > This improvement should alleviate this concern because of the reasons > > stated earlier. Note that there are other issues as well (i.e. Scala 3 > > cannot make reproducible builds, see vhttps:// > > github.com/lampepfl/dotty/issues/17330#issuecomment-1567996126) but the > > hope is that we will get to a point later down the line where doing a > > release this way (which is by far the standard/common way for Scala OS > > projects) is acceptable. > > > > On Fri, May 26, 2023 at 5:03 PM Matthew Benedict de Detrich < > > [email protected]> wrote: > > > >> I would like to report that thanks to asfinfra, github tag protection > >> rules (see > >> > https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules > ) > >> has been setup which means git tags that are pushed to Pekko's github > >> repositories are now immutable as long as they follow our version > pattern > >> (i.e. v.*.*.*). > >> > >> What is meant by immutable is that Pekko committers can push git tags > >> directly onto the Pekko github repositories but once a tag matching the > >> version pattern has been pushed, it cannot be edited or deleted unless > you > >> are an admin (which in the context of Apache means asfinfra and would be > >> considered an exceptional circumstance). Below is a short snippet > >> demonstrating this > >> > >> <@incubator-pekko>-<⎇ main>-<*>-> git push upstream v0.0.0 > >> Enumerating objects: 1, done. > >> Counting objects: 100% (1/1), done. > >> Writing objects: 100% (1/1), 164 bytes | 164.00 KiB/s, done. > >> Total 1 (delta 0), reused 0 (delta 0), pack-reused 0 > >> To github.com:apache/incubator-pekko.git > >> * [new tag] v0.0.0 -> v0.0.0 > >> > >> <@incubator-pekko>-<⎇ main>-<*>-> git push --delete upstream v0.0.0 > >> remote: error: GH006: Protected tag update failed for refs/tags/v0.0.0. > >> remote: error: You're not authorized to delete a protected tag > >> To github.com:apache/incubator-pekko.git > >> ! [remote rejected] v0.0.0 (protected tag hook declined) > >> error: failed to push some refs to 'github.com: > apache/incubator-pekko.git' > >> <@incubator-pekko>-<⎇ main>-<*>-1-> > >> > >> This feature is intended to be useful as part of the release process > done > >> by release managers so that we can state with confidence that tags > pointing > >> to a release are not altered. > >> > >> For more information see > >> > https://issues.apache.org/jira/browse/INFRA-24644?focusedCommentId=17726630&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17726630 > >> and https://github.com/apache/incubator-pekko/issues/342 > >> > >> Regards > >> -- > >> > >> Matthew de Detrich > >> > >> *Aiven Deutschland GmbH* > >> > >> Immanuelkirchstraße 26, 10405 Berlin > >> > >> Amtsgericht Charlottenburg, HRB 209739 B > >> > >> Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen > >> > >> *m:* +491603708037 > >> > >> *w:* aiven.io *e:* [email protected] > >> > > > > > > -- > > > > Matthew de Detrich > > > > *Aiven Deutschland GmbH* > > > > Immanuelkirchstraße 26, 10405 Berlin > > > > Amtsgericht Charlottenburg, HRB 209739 B > > > > Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen > > > > *m:* +491603708037 > > > > *w:* aiven.io *e:* [email protected] > > -- Matthew de Detrich *Aiven Deutschland GmbH* Immanuelkirchstraße 26, 10405 Berlin Amtsgericht Charlottenburg, HRB 209739 B Geschäftsführer: Oskari Saarenmaa & Hannu Valtonen *m:* +491603708037 *w:* aiven.io *e:* [email protected]
