ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko Čibej <br...@apache.org>
Subject Re: Signing Ignite artifacts
Date Thu, 15 Jan 2015 10:34:37 GMT
On 15.01.2015 11:02, Sergey Evdokimov wrote:
> To use Apache Code Signing Service we need to appoint one of committer as
> release manager (https://reference.apache.org/pmc/newcodesigning).

Just to be clear: you don't need the code signing service for source
releases. For that, you only need PGP signatures from the (current) RM
and other (P)PMC members. For example, over at Subversion, every PMC
member who votes for the release artefacts also signs them, so that we
have more than one signature for any release.

Before worrying too much about publishing convenience binaries, you have
to get the process for source releases sorted out. Right now, the Ignite
code is not even close being suitable for release. Not because of
missing features — we're not concerned with feature sets — but because
they don't conform to legal requirements:

  * Many of the sources do not have the required license headers
  * All Java APIs must be in the org.apache.ignite namespace, right now
    I see 'gridgain' all over the place
  * LICENSE and NOTICE files are missing

and so on. Fixing the above will be a lot of work so I really don't
recommend worrying about signing convenience binaries at this point.

>  I'm not
> a committer. Whose account use to registration on Apache Code Signing
> Service.

Guys, how can you have a release manager who's not a committer? How did
Sergey even think to begin working on this in the first place?

> P.S. Signing release using that service costs money. Who will decide to use
> it or not?

The PMC, of course. During incubation, that's PPMC+IPMC.

-- Brane

> On Wed, Jan 14, 2015 at 12:40 PM, Sergey Evdokimov <sevdokimov@gridgain.com>
> wrote:
>> Hello,
>> I'm working on Ignite release process.
>> All release artifacts must be signed. Does we have a key to sign GridGain
>> artifacts or I should generate it? If I will generate key how to make
>> public key trusted?
>> I've created TeamCity configuration that build Nightly builds and upload
>> it to https://repository.apache.org/content/repositories/snapshots .
>> (TeamCity configuration:
>> )

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message