Hello Alex, hope that you are well. Thank you very much for the reply and sorry for the (very) late reply.
I just got back to the Jenkins situation (we will release a new CloudStack version soon). I totally understand that we cannot sign the packages in an automated way, that is far from secure. Regarding the package building, can you please advise if it is possible to configure a job on builds.apache.org? I know that there are companies using CloudStack able to donate slaves to help running the jobs packaging. If there is a way to contribute, please let me know. Additionally, I have access to create jobs, if that is ok I wold be configuring a few jobs to help the project with CI/packaging and tests. We already have a lot of help with current job, however on some cases we need to manually test the PR, and having a way of sharing the build on the development phase would be a big plus. Best regards, Gabriel. Em qui., 12 de dez. de 2019 às 13:33, Alex Harui <aha...@adobe.com> escreveu: > AIUI, you can automate everything except the verification and PGP > signing. The building and packaging doesn't have to be done on computers > under the RM's control, but before the RM applies his/her PGP signature, > the RM must convince themselves that the artifacts they are signing are > correct and safe. IMO the way to do that is to download the artifacts to a > computer under the RM's control that has the RM's PGP key on it, and then > run some sort of tests before signing. For the source package, it can be > as simple as checking out the tag into another folder and doing a diff. > For binaries it is much harder, but with the trend towards reproducible > binaries, I believe it is now practical. > > But then the RM has a pile of signed artifacts on some computer that has > to be uploaded to the distribution servers. A script can help with that, > though. > > HTH, > -Alex > > On 12/12/19, 2:55 AM, "Gabriel Beims Bräscher" <gabr...@apache.org> > wrote: > > Hello, > > I am an Apache CloudStack PMC/Committer. > > One of the goals that we at CloudStack have is to automatically build > packages and update our mirrors whenever a new release is launched. > I worked as release manager for CloudStack 4.12.0.0 (non-LTS) and > assisted on 4.13.0.0 (LTS), In both cases I executed the building > process manually (build all the deb and rpm packages and make them > available at the ACS repository mirror). It would be great to make it > automated. > > With that in mind I am wondering If is there a way to set up Jenkins. > Additionally, I work at PCextreme and as a cloud provider we would be > happy to donate resources (virtual machine(s)), if necessary to run > such > jobs. > > Thanks for all the help! > Best regards, > Gabriel. > > -- > Gabriel Beims Bräscher > Apache CloudStack Committer/PMC > The Apache Software Foundation > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.apache.org%2F&data=02%7C01%7Caharui%40adobe.com%7C2776a1f593ae42724ff208d77ef1bc38%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C1%7C637117449021619621&sdata=rJarxm3rQh2Kh9oirMkQWWISQ4WquxJrO6Jr%2F2chWak%3D&reserved=0 > > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloudstack.apache.org%2F&data=02%7C01%7Caharui%40adobe.com%7C2776a1f593ae42724ff208d77ef1bc38%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C1%7C637117449021619621&sdata=jCkeUb804f7jntV9hCgVCa7cIS6MjKuN%2B4NLqgOyzIc%3D&reserved=0 > > > >
