raboof commented on issue #217: URL: https://github.com/apache/tooling-trusted-release/issues/217#issuecomment-3211351994
> Who set the criterion? Was it a Board decision, or a Security decision? It is a long-standing requirement in the ASF Release Policy (https://www.apache.org/legal/release-policy.html#owned-controlled-hardware) that releases must be made on committer-controlled hardware. CI fairly clearly does not meet that requirement. More recently it's been a Security decision that our position is that creating a release on CI and reproducing it bit-by-bit on committer-controlled hardware is sufficient. It is a decision by Infra to implement this by creating a repo-specific key as 'secret' and giving the PMC access to revocation keys (to use in case foul play would ever be established). > What is the application process to Security? To get a repo-specific key added to a repo, Infra asks projects to create an INFRA ticket in Jira (https://infra.apache.org/release-signing.html#automated-release-signing). On that ticket they'll ping the security team to check the project understands the requirements and has their process set up for checking the reproducibility of their releases. This is not a full audit: like with most ASF policies, it is the responsibility of the PMC to provide oversight and make sure the requirements are met. The security team just makes sure the project appears to have understood the requirements and that their approach looks reasonable. > Who processes the applications? Infra processes the applications for a key to be added, Security provides input as described above. > How long does it take to process the applications? I think that mainly depends on whether the project is already well-prepared when they open their application. If they open the application at the beginning of the process it could obviously take a while. If they open the application when they're technically ready, it could be as fast as hours or days rather than weeks. > What is the evaluation process? Does Security attempt to reproduce the builds? Not necessarily, though we might to a spot check if something looks questionable or otherwise hard to understand. > Where is the list of permitted projects maintained? I don't think there is a list per se, though I agree that might be helpful, also to be able to point projects that want to start doing this to others that are already doing things well. We might add some further links to https://cwiki.apache.org/confluence/display/SECURITY/Reproducible+Builds > What projects are on that list? I don't know offhand > Who has the permissions to modify the list of permitted projects? As there's no 'actual' this question doesn't really make sense, but ultimately it's Infra who adds the keys to the repo's, so I suppose that's the closest answer. > Who currently enforces that projects uploading from GitHub are permitted? This is 'implicit' in the fact that infra won't add keys to repo's for projects that aren't permitted. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org For additional commands, e-mail: dev-h...@tooling.apache.org
