On Sun, Jan 6, 2019 at 8:20 PM Alex Harui <[email protected]> wrote: > > > > On 1/6/19, 7:54 PM, "Roman Shaposhnik" <[email protected]> wrote: > > On Sun, Jan 6, 2019 at 7:38 PM Alex Harui <[email protected]> > wrote: > > > > > > > > On 1/6/19, 6:58 PM, "Roman Shaposhnik" <[email protected]> wrote: > > > > On Sun, Jan 6, 2019 at 6:50 PM Alex Harui > <[email protected]> wrote: > > > > > > OK, apparently Infra doesn't want to discuss this in a JIRA issue > so I will try to continue it here and bug people with emails if the thread > stagnates like it did last time. > > > > > > I'm unclear what questions and problems are of concern here > specific to this ask. IMO: > > > 1) ASF Release Policy currently allows artifacts to be packaged > on other hardware. It just has to be verified on RM/PMC-controlled hardware > > > 2) There is no packaging specific security risk. Rogue > executions via Jenkins are either possible or not possible and there are > plenty of other juicy targets for rogue executions besides release artifacts > that are verifiable. > > > > I don't have a strong opinion on the above, but I'm very concerned > > about a requirement of a bot pushing to SCM repos. > > > > Please explain your concern. > > ASF lives and dies by how well it can track IP provenance in what we > release. > That's why any non-committer interactions around SCM will give me pause. > > All commits, even PR's from non-commiters accepted by a committer are > supposed to be reviewed, AIUI. So if the bot makes a commit to the repo, the > PMC is responsible for reviewing it. In Royale's case, the bot should only > be changing pom.xml files and making tags and branches, so a bad bot commit > should be easy to spot and detection may even be tool-able.
In theory -- yes. In CTR project -- may be not. Either way this is something I'd be only comfortable allowing if there's a great benefit of allowing it. Which I'm still failing to see, frankly. > > A bot is already allowed to commit to the website repos, AIUI. > > Two things: > 1. can you give me real-world examples of that? > > See the beginning of this thread. I posted this link to an old email: > > https://lists.apache.org/thread.html/efed1ff44fbfe5770ea1574b2f53a5295ae8326c5a3a5feb9f88cd48@%3Cbuilds.apache.org%3E > > And Karl Heinz Marbaise seemed to say that Maven is doing it. > > https://builds.apache.org/view/M-R/view/Maven/job/maven-box/job/maven-site/ > > Also note that in Royale's case, the Jenkins job would not be triggered. It > would be manually started. So one requirement of allowing packaging jobs > could be that artifact packaging jobs cannot be automatically triggered by > repo changes or date/time. That would better ensure that the PMC has > reviewed any bot changes. I'm still not following. Can you link to the commits that originate from a bot? Thanks, Roman.
