Let me re-summarize, since I think people are not reading the whole thread or
the JIRA issue linked upthread.
I'm only concerned about Royale, which is the project I work on.
On 1/6/19, 11:12 PM, "Hervé BOUTEMY" <herve.bout...@free.fr> wrote:
> I don't have a strong opinion on the above, but I'm very concerned
> about a requirement of a bot pushing to SCM repos.
+1
adding that there are 2 levels of concerns for the scm repos:
1. the source repo (at least for tagging), which is either svn or git
2. the dist repo, which is svn, for release publication
in addition to this scm repos write access issues, there is also the gpg
private key access, when signing the release
last topic to me: releasing at Apache is a 2 phases process:
1. staging, that includes the real build, to open the 72h voting period
2. publishing once vote approved, where no build happens but management of
release area and many other parts like issue tracker
Royale is mainly interested in #1. Let me re-summarize, since I think people
are not reading the whole thread or the JIRA issue linked upthread.
Royale has been unsuccessful getting anyone other than me to be the RM. All 3
others who have tried ran into upload/download issues running Maven's release
plugin on their machines. So, Royale is interested in having a Windows
computer configured to generate their release artifacts that all Royale RMs
could use. This Windows computer will run Maven's release plugin which must
be allowed to make commits. I can understand why many of you don't see why
Royale needs this, but I think we do, and some other projects have expressed
interest as well.
To be specific, Royale not only produces Maven artifacts, but Ant tasks as well
and the RM pushes those Ant artifacts to dist.a.o as a convenience binary. So
committing to dist.a.o is included in this request. We haven't gotten far
enough to know if we have an issue with #2, publishing after the vote. I doubt
it since #2 does not require transferring lots of data from the RM's computer.
We also haven't gotten far enough to know if the bot would need to PGP sign the
artifacts. I would hope not, but maybe Maven's release plugin or Nexus has
some restriction on that.
The workflow I envision is this:
1. RM runs Jenkins job on builds@ to create release branch, generate artifacts
, tag the repo, push artifacts to Nexus staging and dist.a.o/dev/Royale
2. RM downloads artifacts to verify them, adds PGP signature and calls for vote
3. PMC downloads artifacts, verifies that the source packages matches the tag
and performs other checks required by ASF release policy.
I'm a client framework developer, and finding security holes is not something I
have to do often, so I am truly interested in getting feedback from others on
potential exploits in my proposal. To me, there is enough security in
builds.a.o such that the bot could make commits and the PMC could review those
changes and catch rogue commits.
I'm also interested in other ways to effectively create a "single computer"
that is configured correctly that other committers could use to generate these
artifacts. If there was a way to temporarily place your Git/SVN creds on this
remote "single computer" that would probably be sufficient for me. Maven seems
to want an SSH key on that computer in order to push to git.
Thanks,
-Alex
