incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Re: Robot vs. personal KEYS for signing releases
Date Mon, 08 Jun 2015 15:41:36 GMT
On Mon, Jun 8, 2015 at 9:40 AM, C├ędric Champeau
<cedric.champeau@gmail.com> wrote:
> We are not using the Apache CI servers for that but our own CI server. IMHO
> you should make a difference between building and checking. Building should
> be automated as much as possible. Checking the release is a human job.
> There are lots of reasons why we stopped releasing from a local computer
> years ago.

Who has access to the keys? How are they secured, and what's the plan
for going forward with that? (and this should all be documented) I ask
this because I know of more than one project that has had a
'centralized key' to sign with; but which the PMC didn't control; and
that eventually caused problems when the person with access to the key
disappeared from the community.

As Jake said, I personally wouldn't entrust keys to the ASF's general
purpose CI infrastructure, but I haven't seen anything that
immediately sets off klaxons in my head.

--David

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message