On Wed, Jan 9, 2019 at 2:00 AM Greg Stein <gst...@gmail.com> wrote: > > On Wed, Jan 9, 2019 at 2:12 AM Alex Harui <aha...@adobe.com.invalid> wrote: > > > Here's my current summary: > > > > I think at least 3 projects are interested in sharing a computer to build > > all or some of their release artifacts. > > > > I don't know who actually wears an Infra hat other than Greg, but his > > response was maybe. > > > > My answers/responses are official Infra replies. Gavin responded earlier in > the thread, and is also part of Infra. > > But the most important person on this thread, and who will say whether this > can be allowed, is Roman with his VP Legal Affairs role. In fact, I regard > Infra as Legal's "hands". Much of what we do is rooted in legal concerns of > the Foundation. (the other half is keeping shared tools operating) > > >... > > > these ideas as well. Maybe they will, maybe they won't. But to me, the > > point is that it will be save the community much time and energy if we have > > one shared machine that can crank artifacts. Most of us change computers > > every few years and have to get set up all over again. > > > My non-official reply to the above is "sounds brittle". If you plan to set > up a single machine to release artifacts, and the machine blows up ... then > how do you set it up again? Whatever set up is written down (or > containerized, or scripted, or...) would be the same for each RM, no? > > Under this "do more work" logic, builds.a.o doesn't have to exist. > > Communities can do more work and set up their own Jenkins somewhere. > > > > Oh, that would be awesome. Jenkins is a headache. We'd love that. > > But nah... Infra will maintain our Jenkins installation for the long and > foreseeable future. Very many projects depend upon it, and that's what > we're here for: stand up shared tools, and keep them operating. > > > > If someone with an Infra hat on tells me to go away, > > > Nope, I won't say that. But I've tried to share what the official concerns > are with bot accounts. The short answer is that we can't trace their > commits to an ICLA, nor restrict their ability to sneak in bad code. > Reliance upon human review is a non-starter, as there is no audit trail > that a human *performed* that review. > > Thus, Infra/Legal leaves it to you/community to find a solution that meets > the Foundation's concerns about provenance. For example, maybe the bot just > creates a PR, for a human to review and merge (thus, we have an ICLA > matched to the merge of the work).
I see this as one of the workable solutions here. > Note that git-at-Apache was initially designed and set up by volunteers. > When the boundaries of what Infra provides needs to be pushed, we like to > turn to volunteers to drive that. We've got a boundless set of work > already, so when a project says "I'd like to do $X", then we say "figure > out how to do it, and then work with us". Huge +1 to the above. Thanks, Roman.
