Re: Can we package release artifacts on builds.a.o?

[Alex Harui]

On 1/6/19, 7:54 PM, "Roman Shaposhnik" <ro...@shaposhnik.org> wrote:

    On Sun, Jan 6, 2019 at 7:38 PM Alex Harui <aha...@adobe.com.invalid> wrote:
    >
    >
    >
    > On 1/6/19, 6:58 PM, "Roman Shaposhnik" <ro...@shaposhnik.org> wrote:
    >
    >     On Sun, Jan 6, 2019 at 6:50 PM Alex Harui <aha...@adobe.com.invalid> 
wrote:
    >     >
    >     > OK, apparently Infra doesn't want to discuss this in a JIRA issue 
so I will try to continue it here and bug people with emails if the thread 
stagnates like it did last time.
    >     >
    >     > I'm unclear what questions and problems are of concern here 
specific to this ask.  IMO:
    >     > 1) ASF Release Policy currently allows artifacts to be packaged on 
other hardware.  It just has to be verified on RM/PMC-controlled hardware
    >     > 2) There is no packaging specific security risk.  Rogue executions 
via Jenkins are either possible or not possible and there are plenty of other 
juicy targets for rogue executions besides release artifacts that are 
verifiable.
    >
    >     I don't have a strong opinion on the above, but I'm very concerned
    >     about a requirement of a bot pushing to SCM repos.
    >
    > Please explain your concern.
    
    ASF lives and dies by how well it can track IP provenance in what we 
release.
    That's why any non-committer interactions around SCM will give me pause.
    
All commits, even PR's from non-commiters accepted by a committer are supposed 
to be reviewed, AIUI.  So if the bot makes a commit to the repo, the PMC is 
responsible for reviewing it.  In Royale's case, the bot should only be 
changing pom.xml files and making tags and branches, so a bad bot commit should 
be easy to spot and detection may even be tool-able.

    > A bot is already allowed to commit to the website repos, AIUI.
    
    Two things:
       1. can you give me real-world examples of that?

See the beginning of this thread.  I posted this link to an old email:

https://lists.apache.org/thread.html/efed1ff44fbfe5770ea1574b2f53a5295ae8326c5a3a5feb9f88cd48@%3Cbuilds.apache.org%3E

And Karl Heinz Marbaise seemed to say that Maven is doing it.

https://builds.apache.org/view/M-R/view/Maven/job/maven-box/job/maven-site/

Also note that in Royale's case, the Jenkins job would not be triggered.  It 
would be manually started.  So one requirement of allowing packaging jobs could 
be that artifact packaging jobs cannot be automatically triggered by repo 
changes or date/time.  That would better ensure that the PMC has reviewed any 
bot changes.

Thanks,
-Alex