Re: Can we package release artifacts on builds.a.o?

Just have a look at the Jenkinsfile of the PLC4X projects develop branch. The build has an additional Parameter: -DaltDeploymentRepository=snapshot-repo::default::file:./local-snapshots-dir clean deploy The deploy step then use the wagon plugin to upload. You'll figure it out the rest ... Chri

Re: Can we package release artifacts on builds.a.o?

ok, the issue for log4net is different than Royale a few thoughts: - perhaps you should limit your targets, since some targets look really old: this would decrease the number of configurations needed for the RM - I suppose the official source release artifact is the same for every platform: it'

Re: Can we package release artifacts on builds.a.o?

yes, given Royale issue looks like network connectivity reliability (and I suppose numerous and large artifacts), deploying to a local file:// based repository then having a pure upload step from file:// rlocal repository to network based staging repository could be a solution that would be less

Re: Can we package release artifacts on builds.a.o?

Ich Verstehe dich! I you share with me do you mind if I share on dev@royale? Sent from my iPhone > On Jan 7, 2019, at 1:55 PM, Christofer Dutz wrote: > > Hi Dave, > > Well it was naturally off list. > > Chris > > Outlook for Android herunterladen > > ___

Re: Can we package release artifacts on builds.a.o?

On 1/7/19, 1:21 PM, "Allen Wittenauer" wrote: > On Jan 7, 2019, at 11:50 AM, Alex Harui wrote: > > I don't understand. Who am I "making" do what work? And why do at least 3 others want something similar? And what would you propose Royale should do instead? Always

Re: Help OpenWhisk team with the Jenkins configuration

Can anyone from the infra team help me to look at these two issues? Thanks. https://issues.apache.org/jira/browse/INFRA-17410 https://issues.apache.org/jira/browse/INFRA-17411 Best wishes. Vincent Hou (侯胜博) Advisory Software Engineer, OpenWhisk Contributor, Open Technology, IBM Cloud Notes ID

Re: Can we package release artifacts on builds.a.o?

Hi Dave, Well it was naturally off list. Chris Outlook for Android herunterladen From: Dave Fisher Sent: Monday, January 7, 2019 10:32:38 PM To: builds@apache.org Subject: Re: Can we package release artifacts on builds.a.o? Hi Chris, Th

Re: Can we package release artifacts on builds.a.o?

Hi Chris, Thank you for providing Carlos with instructions. Was that on or off list? Regards, Dave Sent from my iPhone > On Jan 7, 2019, at 1:18 PM, Christofer Dutz wrote: > > Hi Alex, > > Ways to do bad stuff with just a pom.xml: > - simply adding a dependency to a vulnerable library, even

Re: PRJenkins builds for Projects

Hi, In The Edgent project we were using Travis. But the integration mode has changed. The legacy way worked, but you can no longer set it up and the new way requires privileges we can't give. At least I was told from infra when I asked to change the integration version to the new one. Regard

Re: Can we package release artifacts on builds.a.o?

> On Jan 7, 2019, at 11:50 AM, Alex Harui wrote: > > I don't understand. Who am I "making" do what work? And why do at least 3 > others want something similar? And what would you propose Royale should do > instead? Always have me cut releases? If their computers are broken, they

Re: Can we package release artifacts on builds.a.o?

Hi Alex, Ways to do bad stuff with just a pom.xml: - simply adding a dependency to a vulnerable library, even an intentionally staged malicious one. - Adding an evec-maven-plugin to execute anything on the host machine - Generate code - Like I introduced into the FlexJS maven build: Patch/Modify

Re: Can we package release artifacts on builds.a.o?

On Mon, Jan 7, 2019 at 11:51 AM Alex Harui wrote: > > > > On 1/7/19, 11:38 AM, "Roman Shaposhnik" wrote: > > On Mon, Jan 7, 2019 at 11:33 AM Alex Harui > wrote: > > > > > > > > On 1/7/19, 11:05 AM, "Roman Shaposhnik" wrote: > > > > On Mon, Jan 7, 2019 at 11:00

Re: Can we package release artifacts on builds.a.o?

On Mon, Jan 7, 2019 at 11:00 AM Alex Harui wrote: > Hi Mike, > > Thanks for the input. IMO, that exploit would be easily seen. Indeed, but setting readability of the example aside: In the context of your question, no - it's not sufficient to verify that only pom.xml was modified. A change to

Re: Can we package release artifacts on builds.a.o?

On 1/7/19, 11:38 AM, "Roman Shaposhnik" wrote: On Mon, Jan 7, 2019 at 11:33 AM Alex Harui wrote: > > > > On 1/7/19, 11:05 AM, "Roman Shaposhnik" wrote: > > On Mon, Jan 7, 2019 at 11:00 AM Alex Harui wrote: > > > > Hi Mike, > > >

Re: Can we package release artifacts on builds.a.o?

On Mon, Jan 7, 2019 at 11:33 AM Alex Harui wrote: > > > > On 1/7/19, 11:05 AM, "Roman Shaposhnik" wrote: > > On Mon, Jan 7, 2019 at 11:00 AM Alex Harui > wrote: > > > > Hi Mike, > > > > Thanks for the input. IMO, that exploit would be easily seen. The > release plugin sh

Re: Can we package release artifacts on builds.a.o?

On 1/7/19, 11:05 AM, "Roman Shaposhnik" wrote: On Mon, Jan 7, 2019 at 11:00 AM Alex Harui wrote: > > Hi Mike, > > Thanks for the input. IMO, that exploit would be easily seen. The release plugin should only be changing one-liners with version numbers. If this i

Re: Can we package release artifacts on builds.a.o?

On Mon, Jan 7, 2019 at 11:00 AM Alex Harui wrote: > > Hi Mike, > > Thanks for the input. IMO, that exploit would be easily seen. The release > plugin should only be changing one-liners with version numbers. If this is all it ever does I still don't understand why a human operator won't suffice

Re: Can we package release artifacts on builds.a.o?

Hi Mike, Thanks for the input. IMO, that exploit would be easily seen. The release plugin should only be changing one-liners with version numbers. Can you think of one-liner attacks? The attacker would also have to know when we are running our artifact job, otherwise commits from bot would

Re: Can we package release artifacts on builds.a.o?

On Mon, Jan 7, 2019 at 10:39 AM Alex Harui wrote: > Hi Greg, > > Thanks for the history. I agree with the general problem, however, for > Royale, I think the problem is constrained, but I could be wrong. I don't > think there are exploits from things like missing semicolons and other code > exp

Re: Can we package release artifacts on builds.a.o?

Hi Greg, Thanks for the history. I agree with the general problem, however, for Royale, I think the problem is constrained, but I could be wrong. I don't think there are exploits from things like missing semicolons and other code exploits that can be executed against pom.xml files, so the Roy

Re: Can we package release artifacts on builds.a.o?

On Mon, Jan 7, 2019 at 12:23 PM Alex Harui wrote: >... > I still don't get why allowing a bot to commit to a Git repo isn't > auditable. The changes should all be text and sent to commits@ and the > RMs job is to verify that those commits are ok before putting the artifacts > up for vote. I'd e

Re: Can we package release artifacts on builds.a.o?

Hi Greg, Stephen, I think I do need what Greg said: the bot should be able to commit like I can now. AFAICT, Maven's release plugin does pushes to Git as it is doing its work so there isn't a clean way to stop until the RM verifies. I still don't get why allowing a bot to commit to a Git repo

Re: PRJenkins builds for Projects

Stephen, Joan, Thanks for the pointers, but could you save me some time and explain how they implement "security" so folks can't run bitcoin miners via the PRs? Thanks, -Alex On 1/7/19, 7:54 AM, "Joan Touzet" wrote: See travis-ci.org. This is the model we could be emulating.

Re: Can we package release artifacts on builds.a.o?

Regarding automatic commits to websites: These are very different from code, for at least two reasons: 1) the website is not used as a dependency by other projects (apart from web indexes, of course) 2) the website source code is not updated by Jenkins, so the next build will revert any changes.

Re: Can we package release artifacts on builds.a.o?

> Within the Apache Subversion project, have tooling[1] to assist an RM > with > pretty much all the steps of a release. From reading this thread, it > seems > like Royale's problem is getting RMs up to speed, so maybe it can be > solved > with additional build-side tooling? > > [1] https://svn.ap

Re: PRJenkins builds for Projects

See travis-ci.org. This is the model we could be emulating. - Original Message - From: "Alex Harui" To: builds@apache.org Sent: Sunday, January 6, 2019 6:53:44 PM Subject: Re: PRJenkins builds for Projects What other organizations are running a similar patch/pr Jenkins capability and ho

Re: Can we package release artifacts on builds.a.o?

On Mon, Jan 7, 2019 at 8:39 AM stephen.alan.conno...@gmail.com < stephen.alan.conno...@gmail.com> wrote: > On 2019/01/07 14:35:08, Greg Stein wrote: > > On Sun, Jan 6, 2019 at 10:20 PM Alex Harui > wrote: > > >... > > > > > All commits, even PR's from non-commiters accepted by a committer are >

Re: Can we package release artifacts on builds.a.o?

On 2019/01/07 14:35:08, Greg Stein wrote: > On Sun, Jan 6, 2019 at 10:20 PM Alex Harui wrote: > >... > > > All commits, even PR's from non-commiters accepted by a committer are > > supposed to be reviewed, AIUI. So if the bot makes a commit to the repo, > > the PMC is responsible for review

Re: Can we package release artifacts on builds.a.o?

On Sun, Jan 6, 2019 at 10:20 PM Alex Harui wrote: >... > All commits, even PR's from non-commiters accepted by a committer are > supposed to be reviewed, AIUI. So if the bot makes a commit to the repo, > the PMC is responsible for reviewing it. In Royale's case, the bot should > only be changin

Re: PRJenkins builds for Projects

The Jenkins community itself runs PR verification builds on all PRs to Jenkins core and plugins. These PRs are built on the ci.jenkins.io but it only uses disposable build agents (single-shot provisioned on Azure on demand thanks to a grant from Microsoft) On 2019/01/06 23:53:44, Alex Harui wr

Re: Can we package release artifacts on builds.a.o?

On 2018/12/08 17:43:37, Alex Harui wrote: > Gavin, Alan, Karl, > > Thanks for the information. > > This email implies that there is a Jenkins node that can commit something. > What creds are used for that? Is there a buildbot user? > https://lists.apache.org/thread.html/efed1ff44fbfe5770e

Re: Please pick up after yourself

On Thu, 2019-01-03 at 07:10 -0800, Allen Wittenauer wrote: > > Sling has a few hundred modules, if you have more specific info on > > which are problematic please let us know so we have a better chance > > of > > fixing that. > > I gave up and wrote a (relatively simple) pre-amble for our

Re: Can we package release artifacts on builds.a.o?

On 2019-01-07 08:51, Alex Harui wrote: The workflow I envision is this: 1. RM runs Jenkins job on builds@ to create release branch, generate artifacts , tag the repo, push artifacts to Nexus staging and dist.a.o/dev/Royale 2. RM downloads artifacts to verify them, adds PGP signature and calls

Re: Can we package release artifacts on builds.a.o?

On 1/7/19, 1:20 AM, "Christofer Dutz" wrote: Just adding my thoughts to the problem: Whenever I did a Maven training in the past, the core mantra I tried my students to understand was: "If it's hard to do with Maven, you're probably doing it wrong." Ok ... if you're worki

Re: Can we package release artifacts on builds.a.o?

Just adding my thoughts to the problem: Whenever I did a Maven training in the past, the core mantra I tried my students to understand was: "If it's hard to do with Maven, you're probably doing it wrong." Ok ... if you're working on builds for non-java, things do get quite a lot trickier, but s