incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jake Farrell <jfarr...@apache.org>
Subject Re: Robot vs. personal KEYS for signing releases
Date Mon, 08 Jun 2015 13:36:28 GMT
No debate, the Apache CI servers are not intended to produce release
artifacts and should not be used for this purpose. The release manager
should build the artifacts locally and sign them before uploading them to
be tested and voted on. Most projects have this process scripted out fully
and will run the same script run on jenkins and then if a release flag is
used sign and upload the artifacts accordingly (would also recommend making
a template of the vote email so links and other details are not hand
edited). If you would like any examples please let me know

-Jake


On Mon, Jun 8, 2015 at 8:55 AM, C├ędric Champeau <cedric.champeau@gmail.com>
wrote:

> Well I guess the debate is because of Groovy and our use of robot keys, so
> "should" vs "must". If it's a should, I think we're ok. The reason we use
> robot signing is automation. We want to avoid as many human intervention in
> the release process as possible. That is to say, in the end, the whole
> release process should be automated, only checking the artifacts should be
> human based. This is not possible if we involve individual signatures.
> Basically, for Groovy, before joining Apache, we used to automate
> everything but checking the artifacts. It worked pretty well so far... Of
> course one option is to put our private keys into the CI server but ahem...
> I don't really like the idea of having my private key in the wild.
>
> 2015-06-08 14:50 GMT+02:00 Jake Farrell <jfarrell@apache.org>:
>
> > The release manager should use their individual key, details on signing
> and
> > keys are available at [1]
> >
> > -Jake
> >
> > [1]: http://www.apache.org/dev/release-signing.html
> >
> > On Mon, Jun 8, 2015 at 2:59 AM, Roman Shaposhnik <rvs@apache.org> wrote:
> >
> > > Hi!
> > >
> > > my recollection is that the collective opinion
> > > was to discourage the use of KEYS of robots
> > > for signing the releases and prefer individuals
> > > do that with their keys.
> > >
> > > I remember a thread to that effect, but I cant
> > > google it. Am I misremembering?
> > >
> > > Thanks,
> > > Roman.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > > For additional commands, e-mail: general-help@incubator.apache.org
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message