Re: [Proposal] Automate Release Signing

With this policy change, it seems like we could get really close to a release process that is just "choose a daily build that looked good". The main barrier being any place we bake the version into the artifacts. On Wed, May 3, 2023 at 2:51 PM Robert Bradshaw via dev wrote: > If this is acceptab

Re: [Proposal] Automate Release Signing

If this is acceptable per the release policy, huge +1 to automating this step (and not limited to java artifacts alone). On Wed, May 3, 2023 at 1:14 PM Kenneth Knowles wrote: > > To Robert: Good point. I didn't click through. There's always the possibility > that the two branches of the foundati

Re: [Proposal] Automate Release Signing

To Robert: Good point. I didn't click through. There's always the possibility that the two branches of the foundation disagree. In this case INFRA-23996 seems to have the needed authorities. To Danny: Fabulous. My preference would be the policy be updated so that this is clearly within policy but

Re: [Proposal] Automate Release Signing

This approach has the approval of the Apache VP of security - https://issues.apache.org/jira/browse/INFRA-23996 - and Infra seems comfortable with it if we have consensus (I have a thread going on this topic here - https://issues.apache.org/jira/browse/INFRA-24520). @Kenneth Knowles assuming Apach

Re: [Proposal] Automate Release Signing

Kenn, I'll pose the question of why would Apache Infra have a supported path for artifact signing that apparently violates Apache policy? On Wed, May 3, 2023, 12:24 PM Kenneth Knowles wrote: > To clarify: I am in favor of automating what we can. There may be > flexibility here in that only the s

Re: [Proposal] Automate Release Signing

To clarify: I am in favor of automating what we can. There may be flexibility here in that only the source release needs to be signed in this way. But I expect this reduces the utility of the automation, as the release manager will still have to have a functioning published GPG key. Actually it mig

Re: [Proposal] Automate Release Signing

I don't think we can do this. Having the release signed by the actual release manager is by design. https://www.apache.org/legal/release-policy.html#release-signing "All supplied packages MUST be cryptographically signed by the Release Manager with a detached signature" Kenn On Wed, May 3, 2023

Re: [Proposal] Automate Release Signing

+1 to this as well. On Wed, May 3, 2023 at 3:10 PM Robert Burke wrote: > +1 to simplifying release processes, since it leads to a more consistent > experience. > > If we continue to reduce release overhead we'll be able to react with more > agility when CVEs come a knocking. > > On Wed, May 3, 2

Re: [Proposal] Automate Release Signing

+1 to simplifying release processes, since it leads to a more consistent experience. If we continue to reduce release overhead we'll be able to react with more agility when CVEs come a knocking. On Wed, May 3, 2023, 12:08 PM Jack McCluskey via dev wrote: > +1 to automating release signing. As i

Re: [Proposal] Automate Release Signing

+1 to automating release signing. As it stands now, this step requires a PMC member to add a new release manager's GPG key which can add time to getting a release started. This also results in the public key used to sign each release changing from one version to the next, as different release manag

[Proposal] Automate Release Signing

Hey everyone, I'm currently working on improving our release process so that it's easier and faster for us to release. As part of this work, I'd like to propose automating our release signing step (the push java artifacts step of build_release_candidate.sh