www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jan i <j...@apache.org>
Subject Re: Discussion on enabling users to specify own machines as dynamic hosts
Date Thu, 17 Apr 2014 13:35:20 GMT
On 17 April 2014 09:49, Andrea Pescetti <pescetti@apache.org> wrote:

> Alex Harui wrote:
>> On 4/16/14 11:39 PM, "J├╝rgen Schmidt" wrote:
>>> We need a reliable build bot systems where we can build the binary
>>> releases in a controlled environment. ...
>> IMO, you should do that outside of Apache.  Subversion, for example, has
>> other entities that ship binaries.
> In the OpenOffice case convenience binaries have a different importance:
> our users expect binaries that are approved by the project too. Eventually,
> we'll want to have digitally signed binaries coming from Apache. And this
> would require using the buildbots, or internal Apache infrastructure
> anyway... but this is an entirely different story!

yes its a different story, but just to confirm digital signing will only be
available for builds running on infra controlled vms !

And in my opinion any project that offer users binaries directly, should
secure that these binaries are built on infra controlled vms (jsc@ I know,
AOO does not have MAC at infra, but we are working on it). Please remember
when a project offers binaries directly, it is done as part of the
foundation, and thereby the risk and image of the foundation, any problem
will fall back on all foundation projects.

jan I.

> Regards,
>   Andrea.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message