On 1/6/19, 7:54 PM, "Roman Shaposhnik" <[email protected]> wrote:
On Sun, Jan 6, 2019 at 7:38 PM Alex Harui <[email protected]> wrote:
>
>
>
> On 1/6/19, 6:58 PM, "Roman Shaposhnik" <[email protected]> wrote:
>
> On Sun, Jan 6, 2019 at 6:50 PM Alex Harui <[email protected]>
wrote:
> >
> > OK, apparently Infra doesn't want to discuss this in a JIRA issue
so I will try to continue it here and bug people with emails if the thread
stagnates like it did last time.
> >
> > I'm unclear what questions and problems are of concern here
specific to this ask. IMO:
> > 1) ASF Release Policy currently allows artifacts to be packaged on
other hardware. It just has to be verified on RM/PMC-controlled hardware
> > 2) There is no packaging specific security risk. Rogue executions
via Jenkins are either possible or not possible and there are plenty of other
juicy targets for rogue executions besides release artifacts that are
verifiable.
>
> I don't have a strong opinion on the above, but I'm very concerned
> about a requirement of a bot pushing to SCM repos.
>
> Please explain your concern.
ASF lives and dies by how well it can track IP provenance in what we
release.
That's why any non-committer interactions around SCM will give me pause.
All commits, even PR's from non-commiters accepted by a committer are supposed
to be reviewed, AIUI. So if the bot makes a commit to the repo, the PMC is
responsible for reviewing it. In Royale's case, the bot should only be
changing pom.xml files and making tags and branches, so a bad bot commit should
be easy to spot and detection may even be tool-able.
> A bot is already allowed to commit to the website repos, AIUI.
Two things:
1. can you give me real-world examples of that?
See the beginning of this thread. I posted this link to an old email:
https://lists.apache.org/thread.html/efed1ff44fbfe5770ea1574b2f53a5295ae8326c5a3a5feb9f88cd48@%3Cbuilds.apache.org%3E
And Karl Heinz Marbaise seemed to say that Maven is doing it.
https://builds.apache.org/view/M-R/view/Maven/job/maven-box/job/maven-site/
Also note that in Royale's case, the Jenkins job would not be triggered. It
would be manually started. So one requirement of allowing packaging jobs could
be that artifact packaging jobs cannot be automatically triggered by repo
changes or date/time. That would better ensure that the PMC has reviewed any
bot changes.
Thanks,
-Alex
