On 1/6/19, 6:58 PM, "Roman Shaposhnik" <ro...@shaposhnik.org> wrote:
On Sun, Jan 6, 2019 at 6:50 PM Alex Harui <aha...@adobe.com.invalid> wrote:
>
> OK, apparently Infra doesn't want to discuss this in a JIRA issue so I
will try to continue it here and bug people with emails if the thread stagnates
like it did last time.
>
> I'm unclear what questions and problems are of concern here specific to
this ask. IMO:
> 1) ASF Release Policy currently allows artifacts to be packaged on other
hardware. It just has to be verified on RM/PMC-controlled hardware
> 2) There is no packaging specific security risk. Rogue executions via
Jenkins are either possible or not possible and there are plenty of other juicy
targets for rogue executions besides release artifacts that are verifiable.
I don't have a strong opinion on the above, but I'm very concerned
about a requirement of a bot pushing to SCM repos.
Please explain your concern. A bot is already allowed to commit to the website
repos, AIUI.
Thanks,
-Alex
