lucene-lucene-net-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Herndon <mhern...@wickedsoftware.net>
Subject Re: [Lucene.Net] Lucene.net nuget
Date Thu, 01 Dec 2011 20:04:47 GMT
Keep in mind tho that having the token checked in somewhere in the source
repository is not a good idea b/c someone could use it and publish malware
or trojans under your identity. So unless the token is stored outside the
source repository, it's not a good idea to have it in the CI.

-  stored in an ASF private repo.

the a new key probably needs to be generated and stored in the private ASF
repo as well.


The CI build is at builds.apache.org, however its not complete.

On Thu, Dec 1, 2011 at 2:45 PM, Simone Chiaretta <simone.chiaretta@gmail.com
> wrote:

> Mine below
>
> On Thu, Dec 1, 2011 at 7:28 PM, Michael Herndon <
> mherndon@wickedsoftware.net
> > wrote:
>
> > On Thu, Dec 1, 2011 at 1:04 PM, Simone Chiaretta <
> > simone.chiaretta@gmail.com
> > > wrote:
> >
> > > You mean a different impersonal Nuget account?
> > >
> >
> > yes. the goal of the impersonal account was to allow committers to push
> > nuget packages in an automated way without the need of having their own
> > account. there was some preliminary work of building nuget packages using
> > the build scripts.
> >
>
> Sorry, I haven't followed a lot lately: at the end, did we end up using
> teamcity on codebetter or another build system? I remember there were
> discussion on that but don't remember how they ended.
>
>
>
> >
> > there has been talk on various nuget channels about allowing nuget to
> have
> > --pre tag or having a separate build channel. If you're not familiar with
> > gems/bundler, its basically a way to push packages that are not official
> > releases. (nightly, ctp, beta, etc).   So in theory the CI could build
> > packages nightly if the build does not fail into a channels.
> >
> > its also helps from an overall branding perspective.
> >
>
> The author that appears on the nuget gallery page can be different from the
> owner that puts the package online.
>
>
> >
> >
> > > From what I've seen also used in MS pkgs devs have their in accounts
> but
> > > pkgs have multiple owners.
> > >
> >
> > If its possible to do so link your account as an owner & prescott's
> account
> > with the impersonal one.
> >
>
> Keep in mind tho that having the token checked in somewhere in the source
> repository is not a good idea b/c someone could use it and publish malware
> or trojans under your identity. So unless the token is stored outside the
> source repository, it's not a good idea to have it in the CI.
>
> One last thing: I notice that the official lib is strongly named... again,
> not a good idea to have the key checked in the source control. I guess now
> someone owns the key for the strong naming and does the signing offline
> from the CI. Is that correct?
>
>
> >
> >
> > > But if you want we can also go with the Lucene.net team account.
> > > Simo
> > >
> > >
> >
>
>
>
> --
> Simone Chiaretta
> Microsoft MVP ASP.NET - ASPInsider
> Blog: http://codeclimber.net.nz
> RSS: http://feeds2.feedburner.com/codeclimber
> twitter: @simonech
>
> Any sufficiently advanced technology is indistinguishable from magic
> "Life is short, play hard"
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message