IMO, we wouldn't publish releases signed by buildbot without being also signed
by a PMC RM. If there is a way to skip buildbot PGP signing that would be even
better. And we don't have to build from clean if we have a way to verify the
binaries. There are new efforts going on towards creating reproducible
binaries that allow for such verification.
My suggestion is rather simple:
1) Find a way to skip signing before pushing to Nexus release staging or have
buildbot sign
2) Have a buildbot account that can push to Git and SVN
If we can do that, the PMC's can take care of the rest.
Thanks,
-Alex
On 12/11/18, 9:54 AM, "Allen Wittenauer" <a...@effectivemachines.com.INVALID>
wrote:
> On Dec 11, 2018, at 9:43 AM, Joan Touzet <woh...@apache.org> wrote:
> Thanks, Allen. So I am still fighting against the system here.
I view it more as tilting at windmills but tomato, tomato. ;)
> If binaries are conveniences, and they are not official, we should be
able to auto-push binaries built on trusted infrastructure out to the world.
Why can't that be our (Infra maintained & supported, costly from a non-profit
perspective) CI/CD infrastructure?
Frankly: given how much dumb stuff I see happening on the ASF Jenkins
servers on a regular basis, I know I wouldn’t trust them as far as I could
throw them. [I’m pretty sure those servers are heavy and I’m not very strong,
so that wouldn’t be very far. :) ] All it would take is one person firing off
a ‘bad' build that then gets signed by a buildbot account and now ALL of the
ASF builds signed by that account are suspect. That would be super bad.
From a more philosophical perspective, the current model definitely
stresses the idea that the ASF is made up of diverse communities that all have
their own (relative) governance. The binary artifacts I’ve done for Apache
Yetus take a few minutes and look very different than binary artifacts from
other projects. Meanwhile, people would scream bloody murder if the artifact
build server were tied up for the ~2-3 hours it takes to make Apache Hadoop
while it downloads fresh copies of the hundreds of Docker and Apache Maven
dependencies required to build. [Because, I mean, you _are_ building
_everything_ from scratch when building these, right???]
