Re: Can we package release artifacts on builds.a.o?

[Alex Harui]

On 1/6/19, 8:28 PM, "Roman Shaposhnik" <ro...@shaposhnik.org> wrote:
    > All commits, even PR's from non-commiters accepted by a committer are 
supposed to be reviewed, AIUI.  So if the bot makes a commit to the repo, the 
PMC is responsible for reviewing it.  In Royale's case, the bot should only be 
changing pom.xml files and making tags and branches, so a bad bot commit should 
be easy to spot and detection may even be tool-able.
    
    In theory -- yes. In CTR project -- may be not. Either way this is
    something I'd be only comfortable
    allowing if there's a great benefit of allowing it. Which I'm still
    failing to see, frankly.
    
It would help Royale.  As I said in the JIRA issue, our potential RM's have 
trouble getting configured, so having one box configured to crank releases 
would a great benefit to our community.  It sounds like some other projects 
want this too.


    >     > A bot is already allowed to commit to the website repos, AIUI.
    >
    >     Two things:
    >        1. can you give me real-world examples of that?
    >
    > See the beginning of this thread.  I posted this link to an old email:
    >
    > 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.apache.org%2Fthread.html%2Fefed1ff44fbfe5770ea1574b2f53a5295ae8326c5a3a5feb9f88cd48%40%253Cbuilds.apache.org%253E&amp;data=02%7C01%7Caharui%40adobe.com%7C3dbf3ea90f45481777d508d67458928a%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636824321126950349&amp;sdata=uBOFbAk79PTSE%2B3jzWVOE4081bUUHy7PYrnzEDEwqYE%3D&amp;reserved=0
    >
    > And Karl Heinz Marbaise seemed to say that Maven is doing it.
    >
    > 
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbuilds.apache.org%2Fview%2FM-R%2Fview%2FMaven%2Fjob%2Fmaven-box%2Fjob%2Fmaven-site%2F&amp;data=02%7C01%7Caharui%40adobe.com%7C3dbf3ea90f45481777d508d67458928a%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636824321126950349&amp;sdata=tq1%2FNB0mEYbLKPShdNXXkVXrsZyxssIUpRfph7mvbxk%3D&amp;reserved=0
    >
    > Also note that in Royale's case, the Jenkins job would not be triggered.  
It would be manually started.  So one requirement of allowing packaging jobs 
could be that artifact packaging jobs cannot be automatically triggered by repo 
changes or date/time.  That would better ensure that the PMC has reviewed any 
bot changes.
    
    I'm still not following. Can you link to the commits that originate from a 
bot?
    
The projects I work on do not use this feature.  Hopefully Karl or others who 
use this feature can supply commits.  I'm not sure why you need them though.

Thanks,
-Alex