Re: Can we package release artifacts on builds.a.o?

Thu, 10 Jan 2019 18:48:28 -0800 


On 1/10/19, 4:41 PM, "Dave Fisher" <dave2w...@comcast.net> wrote:

    Hi -
    
    Sent from my iPhone
    
    > On Jan 10, 2019, at 4:18 PM, Roman Shaposhnik <ro...@shaposhnik.org> 
wrote:
    > 
    >> On Thu, Jan 10, 2019 at 12:45 AM Alex Harui <aha...@adobe.com.invalid> 
wrote:
    >> 
    >> 
    >> 
    >> On 1/9/19, 7:35 PM, "Roman Shaposhnik" <ro...@shaposhnik.org> wrote:
    >> 
    >>>    On Wed, Jan 9, 2019 at 11:38 AM Alex Harui 
<aha...@adobe.com.invalid> wrote:
    >>> 
    >>> Hi Greg,
    >>> 
    >>> You may have missed some other infra-technical questions upthread that 
might help us fashion a solution.  I'll repeat them here:
    >>> 
    >>> 1) What is the state of Git->SVN and SVN->Git integration?  Could our 
job clone git to SVN, have the bot make changes in SVN with the additional 
restrictions as you said SVN could do, then sync back up to Git (including tags 
as well)?
    >>> 2) What would be the impact of infra creating a "RoyalePMC" committer 
account?
    >> 
    >>    That is definitely not allowed. PMC members are expected to be human
    >>    beings with ICLAs on file with ASF.
    >> 
    >> The only allowed users of the RoyalePMC account would be human PMC
    >> members (technically, anyone with access to private@royale).
    >> Commits from RoyalePMC would therefore have somebody's ICLA behind it.
    
    As a Royale PMC member I’m not comfortable with being on this hook.
    
    > 
    > Then just do that from under individual accounts.
    
    +1
    
    I would be comfortable with Approved PMC member credentials like are used 
for the handful of VM sysadmins from the OpenOffice PMC.

Where can I find out more about "Approved PMC member credentials"?
    
    > 
    >> 
    >>    In fact, I would go as far as to say that any PMC member willingly
    >>    disseminating his or her credentials for *others* to use is likely to
    >>    be considered for a an action from the board.
    >> 
    >> I would agree that PMC members should not share their credentials with 
others,
    >> hence the idea of having a RoyalePMC account, so no human has to share or
    >> transfer credentials to the build machine.   Is it important to know 
exactly which
    >> individual committed something or just that somebody with an ICLA 
committed something, and why?
    > 
    > It is very important to establish IP provenance down to an individual.
    
    And accountability.
    
Could someone answer why?

Thanks,
-Alex

Reply via email to