OK, apparently Infra doesn't want to discuss this in a JIRA issue so I will try to continue it here and bug people with emails if the thread stagnates like it did last time.
I'm unclear what questions and problems are of concern here specific to this ask. IMO: 1) ASF Release Policy currently allows artifacts to be packaged on other hardware. It just has to be verified on RM/PMC-controlled hardware 2) There is no packaging specific security risk. Rogue executions via Jenkins are either possible or not possible and there are plenty of other juicy targets for rogue executions besides release artifacts that are verifiable. Infra, please list questions and problems. Thanks, -Alex On 1/3/19, 2:19 PM, "Alex Harui" <[email protected]> wrote: FWIW, I created this JIRA issue to track the decision. https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FINFRA-17540&data=02%7C01%7Caharui%40adobe.com%7C9bb10afdd1a9466f890d08d671c97555%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636821507409358402&sdata=Qj9VZ8zG%2BnMbZ%2F9%2B%2B9DKh%2B4hpEoKpc%2FJ5JLiksgPABw%3D&reserved=0 Thanks, -Alex On 12/13/18, 12:22 PM, "Zoran Regvart" <[email protected]> wrote: Hi Allen, Alex and Builders, I must say that I also think like Alex, who's to say that the builds done on a CI server are any worse than those done locally by PMC's. I understand that CI server is far from a clean room environment, but take a look at all the software you have installed on your machine and call that cleaner with a straight face. If signing is done locally by PMC's who very the build, in a yet to be determined fashion, what's the real risk here? I would very much like to have as little friction to releases for Apache Camel as possible. zoran On Tue, Dec 11, 2018 at 7:58 PM Alex Harui <[email protected]> wrote: > > IMO, we wouldn't publish releases signed by buildbot without being also signed by a PMC RM. If there is a way to skip buildbot PGP signing that would be even better. And we don't have to build from clean if we have a way to verify the binaries. There are new efforts going on towards creating reproducible binaries that allow for such verification. > > My suggestion is rather simple: > > 1) Find a way to skip signing before pushing to Nexus release staging or have buildbot sign > 2) Have a buildbot account that can push to Git and SVN > > If we can do that, the PMC's can take care of the rest. -- Zoran Regvart
