> On Dec 11, 2018, at 9:43 AM, Joan Touzet <woh...@apache.org> wrote:
> Thanks, Allen. So I am still fighting against the system here.
I view it more as tilting at windmills but tomato, tomato. ;)
> If binaries are conveniences, and they are not official, we should be able to
> auto-push binaries built on trusted infrastructure out to the world. Why
> can't that be our (Infra maintained & supported, costly from a non-profit
> perspective) CI/CD infrastructure?
Frankly: given how much dumb stuff I see happening on the ASF Jenkins
servers on a regular basis, I know I wouldn’t trust them as far as I could
throw them. [I’m pretty sure those servers are heavy and I’m not very strong,
so that wouldn’t be very far. :) ] All it would take is one person firing off
a ‘bad' build that then gets signed by a buildbot account and now ALL of the
ASF builds signed by that account are suspect. That would be super bad.
From a more philosophical perspective, the current model definitely
stresses the idea that the ASF is made up of diverse communities that all have
their own (relative) governance. The binary artifacts I’ve done for Apache
Yetus take a few minutes and look very different than binary artifacts from
other projects. Meanwhile, people would scream bloody murder if the artifact
build server were tied up for the ~2-3 hours it takes to make Apache Hadoop
while it downloads fresh copies of the hundreds of Docker and Apache Maven
dependencies required to build. [Because, I mean, you _are_ building
_everything_ from scratch when building these, right???]
