stevedlawrence commented on code in PR #1254: URL: https://github.com/apache/daffodil/pull/1254#discussion_r1628082512
########## containers/release-candidate/README.md: ########## @@ -21,9 +21,9 @@ To improve reproducibility and to minimize the effects and variability of a users environment, the Daffodil release container should be used to create release candidates. -To build the Daffodil release candidate container image: +To build or update the Daffodil release candidate container image: - podman build -t daffodil-release-candidate /path/to/daffodil.git/containers/release-candidate/ + podman build -t daffodil-release-candidate https://github.com/apache/daffodil.git#main:containers/release-candidate Review Comment: I don't know of a good way to find all of them, but searching through the INFRA Jira for "GPG_SIGNING_KEY" (I believe this is the secret that infra adds to GitHubActions), it looks like it's mostly projects that are part of [Apache Logging](https://logging.apache.org/). Infra also has documentation about [Automated Release Signing](https://infra.apache.org/release-signing.html#automated-release-signing) and what they require before they will allow it. The biggest issue is reproducibility--our builds are close to reproducible, and they are close enough that it's pretty easy to verify the differences are expected, but they aren't 100% bit-for-bit the same. Note that if we only built/released source artifacts we could get it to work without a problem (those are already reproducible). But the binaries are much harder, and personally I think should be built as part of the release process, even though ASF doesn't require it. I've opened a PR with sbt-native-packager to fix our zip binaries: [sbt/sbt-native-packager#160](https://togithub.com/sbt/sbt-native-packager/pull/1602). The windows installer binaries I don't think we can ever make fully 100% reproducible. We'll have to figure out if ASF can make an exception if we ever want to go this route. Also, ASF Infra is working on artifacts.apache.org which is something they are working on to ease the whole release process. I think it's still TBD how much that will affect our release process (e.g. will it include signing or not), but that's something to consider too. Though, I think that's a ways off. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
