FWIW, I created this JIRA issue to track the decision.
https://issues.apache.org/jira/browse/INFRA-17540
Thanks,
-Alex
On 12/13/18, 12:22 PM, "Zoran Regvart" <zo...@regvart.com> wrote:
Hi Allen, Alex and Builders,
I must say that I also think like Alex, who's to say that the builds
done on a CI server are any worse than those done locally by PMC's.
I understand that CI server is far from a clean room environment, but
take a look at all the software you have installed on your machine and
call that cleaner with a straight face. If signing is done locally by
PMC's who very the build, in a yet to be determined fashion, what's
the real risk here?
I would very much like to have as little friction to releases for
Apache Camel as possible.
zoran
On Tue, Dec 11, 2018 at 7:58 PM Alex Harui <aha...@adobe.com.invalid> wrote:
>
> IMO, we wouldn't publish releases signed by buildbot without being also
signed by a PMC RM. If there is a way to skip buildbot PGP signing that would
be even better. And we don't have to build from clean if we have a way to
verify the binaries. There are new efforts going on towards creating
reproducible binaries that allow for such verification.
>
> My suggestion is rather simple:
>
> 1) Find a way to skip signing before pushing to Nexus release staging or
have buildbot sign
> 2) Have a buildbot account that can push to Git and SVN
>
> If we can do that, the PMC's can take care of the rest.
--
Zoran Regvart
