subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan <luke1...@posteo.de>
Subject Re: change release signature requirements?
Date Wed, 27 Jun 2018 07:40:36 GMT
On 24/06/2018 08:20, Stefan Sperling wrote:
> While we're on the subject of changing the supported release
> process, we could use this opportunity to lower the number of
> signatures required for a release.
>
> While we never failed to meet the current requirements eventually,
> our release process could be faster if less signatures were required.
>
> My suggestion would be:
>
> ASF guidelines require a minimum of signatures from 3 different people
> in total (including the release manager). To this, we could add our
> requirement of cross-platform signatures, where at least one signature
> must count for a Windows system, and at least one must count for a
> Unix-like system. Of course, more than 3 signatures are always welcome.
>
> We could also reserve an option for the RM to decide to publish a
> release with 3 signatures for any platforms, based on the RM's
> judgement of the situation (e.g. if a patch release only contained
> code changes inside #ifdef WIN32, Unix signatures could be skipped).
>
> I believe this change would help us with meeting the new 6 months schedule.
>
>
> I see *no* need to change our patch backport voting rules, by the way.
+1 from my side as well.

Maybe we'd still want to add a recommendation for the RM to at least
stay with a certain minimum timeframe for the signing process however
(maybe 3d-1w?). Not a requirement but rather a recommendation. The
rational would be that this way anybody testing the release could plan
that way as well, rather than feeling being pushed to drop everything
else and having to rush signing/testing the release to be sure we don't
miss some issues.

If so, the wording in [1]  could be:
current:
[...] Before a release is officially made public, it must receive three
+1 votes from members of the Subversion PMC. In addition, as a matter of
project policy (being revisited: see dev@ thread
<https://mail-archives.apache.org/mod_mbox/subversion-dev/201708.mbox/%3C20170812173507.a37xm5lujkdo7jw3%40tarpaulin.shahaf.local2%3E>),
we require testing and signatures from at least three PMC members on
/each/ of the major platforms we support: Windows and *nix. For -alpha
and -beta releases, we still require at least one +1 vote on each major
platform we support, but waive the requirement for three signers on each
platform. (The requirement for at least three signers in total remains.)
[...] (A list of the current public keys
<https://people.apache.org/keys/group/subversion-pmc.asc> for members of
the Subversion PMC is autogenerated from LDAP each day.) [...]
new:
[...] Before a release is officially made public, it must receive three
+1 votes from members of the Subversion PMC. In addition, as a matter of
project policy, we require testing and signatures from at least one PMC
members on /each/ of the major platforms we support: Windows and *nix.
[...] (A list of the current public keys
<https://people.apache.org/keys/group/subversion-pmc.asc> for members of
the Subversion PMC is autogenerated from LDAP each day.)
The release manager is encouraged to wait at least 5 days for the
signatures before rolling the release to allow anybody (planning to)
test(ing) the release to complete signing the release before it's being
rolled.

[1]
https://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing

Regards,
Stefan

Mime
View raw message