On 1/6/19, 8:30 PM, "Dave Fisher" <dave2w...@comcast.net> wrote:
Sent from my iPhone
> On Jan 6, 2019, at 7:53 PM, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
>> On Sun, Jan 6, 2019 at 7:38 PM Alex Harui <aha...@adobe.com.invalid>
wrote:
>>
>>
>>
>> On 1/6/19, 6:58 PM, "Roman Shaposhnik" <ro...@shaposhnik.org> wrote:
>>
>>> On Sun, Jan 6, 2019 at 6:50 PM Alex Harui <aha...@adobe.com.invalid>
wrote:
>>>
>>> OK, apparently Infra doesn't want to discuss this in a JIRA issue so I
will try to continue it here and bug people with emails if the thread stagnates
like it did last time.
>>>
>>> I'm unclear what questions and problems are of concern here specific to
this ask. IMO:
>>> 1) ASF Release Policy currently allows artifacts to be packaged on
other hardware. It just has to be verified on RM/PMC-controlled hardware
>>> 2) There is no packaging specific security risk. Rogue executions via
Jenkins are either possible or not possible and there are plenty of other juicy
targets for rogue executions besides release artifacts that are verifiable.
>>
>> I don't have a strong opinion on the above, but I'm very concerned
>> about a requirement of a bot pushing to SCM repos.
>>
>> Please explain your concern.
>
> ASF lives and dies by how well it can track IP provenance in what we
release.
> That's why any non-committer interactions around SCM will give me pause.
Releases are explicitly approved by a PMC. How can the build system results
be approved by the PMC? Safely and confidently?
The source code in the source package would match the tag in SCM.
>
>> A bot is already allowed to commit to the website repos, AIUI.
>
> Two things:
> 1. can you give me real-world examples of that?
Website publishing is not an act of the whole PMC. It can be triggered on
commit / done as a committer’s act.
> 2. website repos are much lower on my list of priorities than code
> repos (see above for reasoning)
Agreed. I see that this question of “Release” to be worth discussion. IMO
what we are really discussing is automatically releasing build system produced
convenience binaries.
I am not proposing a way to automatically release artifacts produced by the
build system. The job would be manually started. The artifacts must be
validated/verified by the PMC. ASF release policy requires that. builds@
policy could require that jobs that produce artifacts are not automatically
triggered.
Can we allow build system produced convenience binaries? If so must we hold
votes? If not then what level of scrutiny must the PMC provide?
I am not proposing changing ASF policy on convenience binaries. It should be
up to the RM/PMC just like convenience binaries produced on an RM's computer.
Nobody knows how good/bad they are. I will put effort into making Royale's
binaries reproducible if build system generated artifacts are allowed.
Please try to avoid adding other discussion topics like whether convenience
binaries require a vote to this thread. I would like to only focus on whether
a buildbot could make commits as part of packaging artifacts.
Thanks,
-Alex
