Tison: STOP cross-posting between private and public lists. You have been advised to stop doing so once, and this is now TWICE. No more.
Regards, Greg Stein Infrastructure Administrator, ASF On Mon, Jul 3, 2023 at 6:01 AM tison <wander4...@gmail.com> wrote: > Hi Daniel, > > Thanks for your information! That can be an alternative for the signing > key. > > Right now the blocker I met is 403 from the Nexus server which I suspect is > the lack of permissions from the Nexus credentials. Could you confirm or > correct it? > > Best, > tison. > > > tison <wander4...@gmail.com> 于2023年7月3日周一 18:58写道: > > > Hi PJ, > > > > Thanks for sharing your thoughts! > > > > For signing key, it's a resolved topic from my perspective. I use - > > > > 1. A signing key commented with OPENDAL CODE AUTO SIGNING KEY[1] > > 2. Load the key from our 1password service, while since it's a specific > > key, I feel comfortable to pass it to INFRA member and configure as a > > secret alternatively. > > > > Best, > > tison. > > > > [1] https://dist.apache.org/repos/dist/release/incubator/opendal/KEYS > > > > > > PJ Fanning <fannin...@apache.org> 于2023年7月3日周一 18:52写道: > > > >> Adding the Incubator general list. > >> > >> My view would be that non-snapshot binary artifacts should be signed > >> with a personal signing key - ideally the signing key that was used to > >> release the related source release. Unfortunately, this would mean > >> adding a user's signing key to the Apache GitHub account as a secret > >> so that the automated GitHub Action job could access it. I don't see > >> how we could allow personal signing keys to be added like this. > >> > >> On Mon, 3 Jul 2023 at 10:18, tison <wander4...@gmail.com> wrote: > >> > > >> > cc security > >> > > >> > Missed in the first place. > >> > > >> > Best, > >> > tison. > >> > > >> > > >> > tison <wander4...@gmail.com> 于2023年6月29日周四 22:21写道: > >> >> > >> >> Hi security team members, > >> >> > >> >> I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding. > >> >> > >> >> I already verify that GitHub Actions work well for automatically > >> deploying OpenDAL Java binding[2]. > >> >> > >> >> When integrating it with upstream (apache/incuabtor-opendal), I met a > >> problem that deploying Maven projects requires NEXUS credentials. For my > >> personal repo, I can config my Apache ID and password as secrets. For > >> apache repos, it requires handing over the credentials to INFRA team > >> member. Even I can trust the member, it's a bit less than awesome. > >> >> > >> >> Fortunately, INFRA provides two org-wise secrets NEXUS_USER and > >> NEXUS_PW for doing so[3]. But it's limited to deploying snapshots only. > >> INFRA member suggested me to consult security team for approval for such > >> automatic deployment and they would help to grant related permissions if > >> approved. > >> >> > >> >> Please help review the request to support ASF projects deploying > Maven > >> project via GitHub Actions. > >> >> > >> >> Best, > >> >> tison. > >> >> > >> >> [1] http://github.com/apache/incubator-opendal > >> >> [2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752 > >> >> [3] > >> > https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192 > >> >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > >> For additional commands, e-mail: general-h...@incubator.apache.org > >> > >> >
