On Wed, Jan 9, 2019 at 2:12 AM Alex Harui <aha...@adobe.com.invalid> wrote:
> Here's my current summary: > > I think at least 3 projects are interested in sharing a computer to build > all or some of their release artifacts. > > I don't know who actually wears an Infra hat other than Greg, but his > response was maybe. > My answers/responses are official Infra replies. Gavin responded earlier in the thread, and is also part of Infra. But the most important person on this thread, and who will say whether this can be allowed, is Roman with his VP Legal Affairs role. In fact, I regard Infra as Legal's "hands". Much of what we do is rooted in legal concerns of the Foundation. (the other half is keeping shared tools operating) >... > these ideas as well. Maybe they will, maybe they won't. But to me, the > point is that it will be save the community much time and energy if we have > one shared machine that can crank artifacts. Most of us change computers > every few years and have to get set up all over again. My non-official reply to the above is "sounds brittle". If you plan to set up a single machine to release artifacts, and the machine blows up ... then how do you set it up again? Whatever set up is written down (or containerized, or scripted, or...) would be the same for each RM, no? Under this "do more work" logic, builds.a.o doesn't have to exist. > Communities can do more work and set up their own Jenkins somewhere. > Oh, that would be awesome. Jenkins is a headache. We'd love that. But nah... Infra will maintain our Jenkins installation for the long and foreseeable future. Very many projects depend upon it, and that's what we're here for: stand up shared tools, and keep them operating. > If someone with an Infra hat on tells me to go away, Nope, I won't say that. But I've tried to share what the official concerns are with bot accounts. The short answer is that we can't trace their commits to an ICLA, nor restrict their ability to sneak in bad code. Reliance upon human review is a non-starter, as there is no audit trail that a human *performed* that review. Thus, Infra/Legal leaves it to you/community to find a solution that meets the Foundation's concerns about provenance. For example, maybe the bot just creates a PR, for a human to review and merge (thus, we have an ICLA matched to the merge of the work). Note that git-at-Apache was initially designed and set up by volunteers. When the boundaries of what Infra provides needs to be pushed, we like to turn to volunteers to drive that. We've got a boundless set of work already, so when a project says "I'd like to do $X", then we say "figure out how to do it, and then work with us". Cheers, Greg InfraAdmin, ASF
