Just adding my thoughts to the problem:
Whenever I did a Maven training in the past, the core mantra I tried my
students to understand was:
"If it's hard to do with Maven, you're probably doing it wrong."
Ok ... if you're working on builds for non-java, things do get quite a lot
trickier, but still solvable.
Even if this sounds pretty blunt, in the past about 10 years of doing a lot of
projects with Maven, in the end it has proven to be very true.
I would suggest to get someone involved, who's a Maven expert, to help you
diagnose and fix the issues you are having instead of adding a patch that works
around the core problem.
I doubt Maven is actively preventing only the Royale project from doing
releases from outside the US, so I guess it's a configuration problem.
So I would suggest to get some of the Maven folks on one of the Maven lists to
help you.
Chris
Am 07.01.19, 08:59 schrieb "Alex Harui" <aha...@adobe.com.INVALID>:
Let me re-summarize, since I think people are not reading the whole thread
or the JIRA issue linked upthread.
I'm only concerned about Royale, which is the project I work on.
On 1/6/19, 11:12 PM, "Hervé BOUTEMY" <herve.bout...@free.fr> wrote:
> I don't have a strong opinion on the above, but I'm very concerned
> about a requirement of a bot pushing to SCM repos.
+1
adding that there are 2 levels of concerns for the scm repos:
1. the source repo (at least for tagging), which is either svn or git
2. the dist repo, which is svn, for release publication
in addition to this scm repos write access issues, there is also the
gpg
private key access, when signing the release
last topic to me: releasing at Apache is a 2 phases process:
1. staging, that includes the real build, to open the 72h voting period
2. publishing once vote approved, where no build happens but management
of
release area and many other parts like issue tracker
Royale is mainly interested in #1. Let me re-summarize, since I think
people are not reading the whole thread or the JIRA issue linked upthread.
Royale has been unsuccessful getting anyone other than me to be the RM.
All 3 others who have tried ran into upload/download issues running Maven's
release plugin on their machines. So, Royale is interested in having a Windows
computer configured to generate their release artifacts that all Royale RMs
could use. This Windows computer will run Maven's release plugin which must
be allowed to make commits. I can understand why many of you don't see why
Royale needs this, but I think we do, and some other projects have expressed
interest as well.
To be specific, Royale not only produces Maven artifacts, but Ant tasks as
well and the RM pushes those Ant artifacts to dist.a.o as a convenience binary.
So committing to dist.a.o is included in this request. We haven't gotten far
enough to know if we have an issue with #2, publishing after the vote. I doubt
it since #2 does not require transferring lots of data from the RM's computer.
We also haven't gotten far enough to know if the bot would need to PGP sign the
artifacts. I would hope not, but maybe Maven's release plugin or Nexus has
some restriction on that.
The workflow I envision is this:
1. RM runs Jenkins job on builds@ to create release branch, generate
artifacts , tag the repo, push artifacts to Nexus staging and
dist.a.o/dev/Royale
2. RM downloads artifacts to verify them, adds PGP signature and calls for
vote
3. PMC downloads artifacts, verifies that the source packages matches the
tag and performs other checks required by ASF release policy.
I'm a client framework developer, and finding security holes is not
something I have to do often, so I am truly interested in getting feedback from
others on potential exploits in my proposal. To me, there is enough security
in builds.a.o such that the bot could make commits and the PMC could review
those changes and catch rogue commits.
I'm also interested in other ways to effectively create a "single computer"
that is configured correctly that other committers could use to generate these
artifacts. If there was a way to temporarily place your Git/SVN creds on this
remote "single computer" that would probably be sufficient for me. Maven seems
to want an SSH key on that computer in order to push to git.
Thanks,
-Alex
