CalvinKirs commented on issue #492: URL: https://github.com/apache/incubator-baremaps/issues/492#issuecomment-1313537830
> @CalvinKirs @julianhyde @LeonardBesseau I'm progressing on the various tasks associated with the first release, and would like to have your opinion on PGP signatures. > > Right now, we do have an action that signs the jar files published on maven central. A PGP key dedicated to the project is stored as a secret on github. Do you think it fine to use a similar approach to sign the source and binary distributions published on github? We may ask the committers to sign the project's key, but I'm not totally sure about the implications of this. > > This approach would make the release process very simple. In order to release, one of the committer would have to execute the following: > > ``` > mvn release:prepare -DautoVersionSubmodules=true -DgenerateBackupPoms=false > ``` > > As the release plugin creates a tag for the release (vX.Y.Z), the creation of the assets can be automated with an action. Furthermore, the release can remain a [draft](https://github.com/apache/incubator-baremaps/blob/9c746129246f9e38cc6a6b2367ae5e53783aac88/.github/workflows/release.yml#L31) until the vote passes on the mailing list. TBH, I haven't done that. We usually do this when we package the source code for a release, because the source code package also needs to sign. At the same time, the release is more done on the computer of the Release Manager, because there is some information such as security key. we can't all share a key. Usually most projects will have corresponding release scripts, which can help release versions quickly, I'm guessing you missed this documentation https://infra.apache.org/publishing-maven-artifacts.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For additional commands, e-mail: dev-h...@baremaps.apache.org
