Hi Arnout, Thanks a lot for your answer. The old process is documented and the new one has not yet been finalised. That being said, I haven’t checked if it is bit-by-bit reproducible. I will try to see what it means in our case and come back to you once we have more information.
Best regards, Bertil > On 15 Mar 2024, at 14:12, Arnout Engelen <enge...@apache.org> wrote: > > Hi Bertil, baremaps PPMC, > > Thanks for checking! That sounds pretty good already. > > Part of the challenge in releasing from CI is that CI systems are > notoriously hard to secure, and an undetected supply-chain attack > could lead to publishing artifacts with injected malware. For that > reason I'm sure you've seen that we require that you make your build > bit-by-bit reproducible, and include steps in your release process to > make sure you reproduce the build on independent hardware before > promoting your release. Have you started documenting your release > procedure yet? Have you included reproducing the artifacts as a step? > > > Kind regards, > > Arnout > > > On Fri, Mar 15, 2024 at 11:04 AM Bertil Chapuis <bchap...@gmail.com> wrote: >> >> Hello Apache Security Team, >> >> We are currently trying to automate the release process of Apache Baremaps >> (incubating) [1]. As highlighted in the documentation, it seems possible to >> get github secrets to sign artifacts [2]. Other projects are also using a >> nexus username and password to publish maven snapshots and releases [3, 4]. >> >> To do so, we drafted two release workflows on Github Actions. >> - The first one [5] publishes a pre release on GitHub. The source and binary >> artifacts are signed and hashed. This workflow is working currently works >> with a test key set as a secret in our CI. >> - The second one [6] tries to publish snapshot artifacts on Nexus. Later on, >> the intent is also to automate the publication of release artifacts. This >> workflow currently fails with a 401 Unauthorized error. >> >> The INFRA Team asked for a review of the workflow by the security team >> before setting the following secrets in the CI. >> - NEXUS_USERNAME >> - NEXUS_PASSWORD >> - GPG_KEY_ID >> - GPG_PASSPHRASE >> - GPG_PRIVATE_KEY >> >> Thanks a lot for your help, >> >> Bertil Chapuis >> >> [1] https://github.com/apache/incubator-baremaps/issues/752 >> [2] https://infra.apache.org/release-signing.html#automated-release-signing >> [3] >> https://github.com/apache/drill/blob/26f4d30dbefcc09a7dfe05576d3f9c7b45d822a0/.github/workflows/publish-snapshot.yml#L42 >> [4] https://infra.apache.org/publishing-maven-artifacts.html >> [5] >> https://github.com/apache/incubator-baremaps/blob/293da521086c402ce78be931a8e90ecb50e58e7e/.github/workflows/release.yml >> [6] >> https://github.com/apache/incubator-baremaps/blob/293da521086c402ce78be931a8e90ecb50e58e7e/.github/workflows/publish.yml > > > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PPMC member > ASF Member > NixOS Committer > Independent Open Source consultant > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org > For additional commands, e-mail: dev-h...@baremaps.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@baremaps.apache.org For additional commands, e-mail: dev-h...@baremaps.apache.org
