Hi Allen, Alex and Builders, I must say that I also think like Alex, who's to say that the builds done on a CI server are any worse than those done locally by PMC's.
I understand that CI server is far from a clean room environment, but take a look at all the software you have installed on your machine and call that cleaner with a straight face. If signing is done locally by PMC's who very the build, in a yet to be determined fashion, what's the real risk here? I would very much like to have as little friction to releases for Apache Camel as possible. zoran On Tue, Dec 11, 2018 at 7:58 PM Alex Harui <aha...@adobe.com.invalid> wrote: > > IMO, we wouldn't publish releases signed by buildbot without being also > signed by a PMC RM. If there is a way to skip buildbot PGP signing that > would be even better. And we don't have to build from clean if we have a way > to verify the binaries. There are new efforts going on towards creating > reproducible binaries that allow for such verification. > > My suggestion is rather simple: > > 1) Find a way to skip signing before pushing to Nexus release staging or have > buildbot sign > 2) Have a buildbot account that can push to Git and SVN > > If we can do that, the PMC's can take care of the rest. -- Zoran Regvart
