Hello all, In discussion with security team I've been asked to provide answers to following questions on how we fullfil security requirements that go with the automated GPG signing in ci environment:
https://infra.apache.org/release-signing.html#automated-release-signing requires that the build is binary reproducible and that "The release procedure contains a validation step where all artifacts are reproduced on trusted hardware ( https://www.apache.org/legal/release-policy.html#owned-controlled-hardware) before publication to pages intended for end users" I'd like to ask everyone for assistance, especially in confirming that our builds are reproducible , but also help me to interpret the trusted hardware request. More I think about this the more I tend to think we will be asked to provide some documentation of how we release as a reference. Regards Jan
