On Sun, Jan 6, 2019 at 6:50 PM Alex Harui <aha...@adobe.com.invalid> wrote: > > OK, apparently Infra doesn't want to discuss this in a JIRA issue so I will > try to continue it here and bug people with emails if the thread stagnates > like it did last time. > > I'm unclear what questions and problems are of concern here specific to this > ask. IMO: > 1) ASF Release Policy currently allows artifacts to be packaged on other > hardware. It just has to be verified on RM/PMC-controlled hardware > 2) There is no packaging specific security risk. Rogue executions via > Jenkins are either possible or not possible and there are plenty of other > juicy targets for rogue executions besides release artifacts that are > verifiable.
I don't have a strong opinion on the above, but I'm very concerned about a requirement of a bot pushing to SCM repos. Thanks, Roman.
