incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Champeau <cedric.champ...@gmail.com>
Subject Re: Robot vs. personal KEYS for signing releases
Date Mon, 08 Jun 2015 13:40:30 GMT
We are not using the Apache CI servers for that but our own CI server. IMHO
you should make a difference between building and checking. Building should
be automated as much as possible. Checking the release is a human job.
There are lots of reasons why we stopped releasing from a local computer
years ago.

2015-06-08 15:36 GMT+02:00 Jake Farrell <jfarrell@apache.org>:

> No debate, the Apache CI servers are not intended to produce release
> artifacts and should not be used for this purpose. The release manager
> should build the artifacts locally and sign them before uploading them to
> be tested and voted on. Most projects have this process scripted out fully
> and will run the same script run on jenkins and then if a release flag is
> used sign and upload the artifacts accordingly (would also recommend making
> a template of the vote email so links and other details are not hand
> edited). If you would like any examples please let me know
>
> -Jake
>
>
> On Mon, Jun 8, 2015 at 8:55 AM, Cédric Champeau <cedric.champeau@gmail.com
> >
> wrote:
>
> > Well I guess the debate is because of Groovy and our use of robot keys,
> so
> > "should" vs "must". If it's a should, I think we're ok. The reason we use
> > robot signing is automation. We want to avoid as many human intervention
> in
> > the release process as possible. That is to say, in the end, the whole
> > release process should be automated, only checking the artifacts should
> be
> > human based. This is not possible if we involve individual signatures.
> > Basically, for Groovy, before joining Apache, we used to automate
> > everything but checking the artifacts. It worked pretty well so far... Of
> > course one option is to put our private keys into the CI server but
> ahem...
> > I don't really like the idea of having my private key in the wild.
> >
> > 2015-06-08 14:50 GMT+02:00 Jake Farrell <jfarrell@apache.org>:
> >
> > > The release manager should use their individual key, details on signing
> > and
> > > keys are available at [1]
> > >
> > > -Jake
> > >
> > > [1]: http://www.apache.org/dev/release-signing.html
> > >
> > > On Mon, Jun 8, 2015 at 2:59 AM, Roman Shaposhnik <rvs@apache.org>
> wrote:
> > >
> > > > Hi!
> > > >
> > > > my recollection is that the collective opinion
> > > > was to discourage the use of KEYS of robots
> > > > for signing the releases and prefer individuals
> > > > do that with their keys.
> > > >
> > > > I remember a thread to that effect, but I cant
> > > > google it. Am I misremembering?
> > > >
> > > > Thanks,
> > > > Roman.
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > > > For additional commands, e-mail: general-help@incubator.apache.org
> > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message