potiuk commented on code in PR #69417: URL: https://github.com/apache/airflow/pull/69417#discussion_r3525652943
########## dev/README_RELEASE_PROVIDERS.md: ########## @@ -513,6 +556,13 @@ key you want to use. ## Build and sign the source and convenience packages +> [!NOTE] +> Under the [delegated process](#delegating-release-duties-to-a-non-pmc-committer) this signing step Review Comment: I think this should be both -> building and signing. Just signing is not enough. When PMC member is signing the release they should be quite **sure** it's been generated from sources - which practically means that they should: a) checkout the sources b) switch to tag/look at commit hash c) build the packages d) sign them e) push both packages and signatures/checksums to SVN While "technically speaking" just signing is needed by the PMC member, practically it means it needs to be also built locally by the PNC member - this is explained in this FAQ: https://www.apache.org/legal/release-policy.html#owned-controlled-hardware If you short-cut it and a) committer builds the package and pushes it to SVN then b) PMC member signs it Then practically PMC member does not know what they are signing. This can be somewhat mitigated by reproducibility. When the PMC member can reproduced binary the same packages (i.e. build them) - they should be OK to sign the packages submitted by someone else - becasue they are binary the same. However, the pragmatic side of it is that if the PMC member anyhow already built the packages (to be able to compare it) - it's easier to just sign and commit the built binaries. Because they are anyhow the same. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
