infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (INFRA-17540) Allow Jenkins jobs to commit/push to SVN and Git
Date Fri, 04 Jan 2019 20:08:00 GMT

    [ https://issues.apache.org/jira/browse/INFRA-17540?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734532#comment-16734532
] 

Sean Busbey commented on INFRA-17540:
-------------------------------------

My understanding was that we need reliable provenance for commits to branches that are involved
in release generation as a part of the legal shield. While commits from *some* automated process
might not endanger that, commits coming from the ASF run Jenkins itself is probably going
to, since those boxes essentially run arbitrary code submitted by the general public without
oversight (as a feature, not a bug).

bq. What about non-release artefacts, like convenience binary builds? 

I believe there already exist jobs that e.g. push convenience SNAPSHOTs to the snapshot area
of repository.apache.org for intra-project use. Anything pushed to the release area needs
to be closed/promoted by a user with a login; a bot staging things there might be an acceptable
risk, presuming projects that used the mechanism were diligent it reviewing what was present.
But I have a hard time quantifying "diligent" in a way that doesn't effectively mean more
work than just having a RM build said artifacts in the first place.

> Allow Jenkins jobs to commit/push to SVN and Git
> ------------------------------------------------
>
>                 Key: INFRA-17540
>                 URL: https://issues.apache.org/jira/browse/INFRA-17540
>             Project: Infrastructure
>          Issue Type: Improvement
>          Components: Buildbot, Jenkins
>            Reporter: Alex Harui
>            Priority: Major
>
> Creating this issue so we don't lose track:
> Per this thread: https://lists.apache.org/thread.html/6f960908e2065841d638f77d4028241f5b91f5b5bcd98ddd36d43295@%3Cbuilds.apache.org%3E
> It would be great if Jenkins jobs could commit/push to SVN and/or Git.
> I think if there was a "user" in LDAP called buildbot or build@a.o, then projects could
see which commits are coming from builds.a.o.
> Maven builds might also require allowing this "user" to PGP sign as well.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message