infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Harui (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-17540) Allow Jenkins jobs to commit/push to SVN and Git
Date Thu, 03 Jan 2019 23:38:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-17540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16733631#comment-16733631
] 

Alex Harui commented on INFRA-17540:
------------------------------------

[~busbey] AFAICT, release policy on requires that the artifacts be verified by hardware owned
and physically controlled by the RM.  The link http://www.apache.org/legal/release-policy.html#owned-controlled-hardware
currently says:

"Strictly speaking, releases must be verified on hardware owned and controlled by the committer.
That means hardware the committer has physical possession and control of and exclusively full
administrative/superuser access to. That's because only such hardware is qualified to hold
a PGP private key, and the release should be verified on the machine the private key lives
on or on a machine as trusted as that."

I have not verified that Maven's release plugin, and Nexus will let artifacts be staged without
a PGP signature.  But we can't even get that far without first being able to let the Maven
release plugin remove SNAPSHOT from versions in the POMs.

> Allow Jenkins jobs to commit/push to SVN and Git
> ------------------------------------------------
>
>                 Key: INFRA-17540
>                 URL: https://issues.apache.org/jira/browse/INFRA-17540
>             Project: Infrastructure
>          Issue Type: Improvement
>          Components: Buildbot, Jenkins
>            Reporter: Alex Harui
>            Priority: Major
>
> Creating this issue so we don't lose track:
> Per this thread: https://lists.apache.org/thread.html/6f960908e2065841d638f77d4028241f5b91f5b5bcd98ddd36d43295@%3Cbuilds.apache.org%3E
> It would be great if Jenkins jobs could commit/push to SVN and/or Git.
> I think if there was a "user" in LDAP called buildbot or build@a.o, then projects could
see which commits are coming from builds.a.o.
> Maven builds might also require allowing this "user" to PGP sign as well.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message