To-do items that might further the goal of getting more people involved in releases, here are a couple tickets on this:
https://issues.apache.org/jira/browse/CASSANDRA-14962 https://issues.apache.org/jira/browse/CASSANDRA-14963 #14962 is really a "we're doing it wrong" ticket on release artifacts. There are also some comments in the details of http://cassandra.apache.org/doc/latest/development/release_process.html that could be streamlined and include fixing the steps, temporary upload problems, etc. Work on temporary uploads for staging the artifacts could be useful for #14963. Michael On 1/7/19 3:15 PM, Michael Shuler wrote: > Mick and I have discussed this previously, but I don't recall if it was > email or irc. Apologies if I was unable to describe the problem to a > point of general understanding. > > To reiterate the problem, changing gpg signature keys screws our debian > and redhat package repositories for all users. Tarballs are not > installed with a client that checks signatures in a known trust > database. When gpg key signer changes, users need to modify their trust > on every node, importing new key(s), in order for packages to > install/upgrade with apt or yum. > > I don't understand how adding keys changes release frequency. Did > someone request a release to be made or are we on some assumed date > interval? > > Michael > > On 1/7/19 2:30 PM, Jonathan Haddad wrote: >> That's a good point. Looking at the ASF docs I had assumed the release >> manager was per-project, but on closer inspection it appears to be >> per-release. You're right, it does say that it can be any committer. >> >> http://www.apache.org/dev/release-publishing.html#release_manager >> >> We definitely need more frequent releases, if this is the first step >> towards that goal, I think it's worth it. >> >> Glad you brought this up! >> Jon >> >> >> On Mon, Jan 7, 2019 at 11:58 AM Mick Semb Wever <m...@apache.org> wrote: >> >>> >>> >>>> I don't see any reason to have any keys in there, except from release >>>> managers who are signing releases. >>> >>> >>> Shouldn't any PMC (or committer) should be able to be a release manager? >>> >>> The release process should be reliable and reproducible enough to be safe >>> for rotating release managers every release. I would have thought security >>> concerns were better addressed by a more tested process? And AFAIK no other >>> asf projects are as restrictive on who can be the release manager role (but >>> i've only checked a few projects). >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org >>> For additional commands, e-mail: dev-h...@cassandra.apache.org >>> >>> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
