infra-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Harui (JIRA)" <>
Subject [jira] [Commented] (INFRA-17540) Allow Jenkins jobs to commit/push to SVN and Git
Date Fri, 04 Jan 2019 21:30:00 GMT


Alex Harui commented on INFRA-17540:

IMO, the odds that someone would exploit Jenkins to commit an attack is as low as a human
committer going rogue and doing the same.  It is the PMC's job to review commits so we would
give special review to buildbot committing something, especially when nobody is trying to
get a release out.  The humans in the PMC have to verify the source either way.

If you haven't followed the original thread I linked to, there have been some recent discussions
about "reproducible builds".  If we can get this workflow going, Royale would make the effort
to create reproducible binaries as part of the requirement of "diligence" in verifying convenience
binary artifacts.  The ideal workflow is:

-RM checks latest snapshots and nightly builds to verify that they seem ok.
-RM runs artifact creation job on Jenkins at builds@
-Jenkins job pushes release branches, artifacts to release staging on Nexus, and dist.a.o,
adds tags, etc.
-Jenkins job signs if Nexus/Maven requires it.
-RM downloads and verifies artifacts on hardware the RM controls and then adds his/her signature
-PMC votes on those artifacts by verifying source against tags, building source and comparing

> Allow Jenkins jobs to commit/push to SVN and Git
> ------------------------------------------------
>                 Key: INFRA-17540
>                 URL:
>             Project: Infrastructure
>          Issue Type: Improvement
>          Components: Buildbot, Jenkins
>            Reporter: Alex Harui
>            Priority: Major
> Creating this issue so we don't lose track:
> Per this thread:
> It would be great if Jenkins jobs could commit/push to SVN and/or Git.
> I think if there was a "user" in LDAP called buildbot or build@a.o, then projects could
see which commits are coming from builds.a.o.
> Maven builds might also require allowing this "user" to PGP sign as well.

This message was sent by Atlassian JIRA

View raw message