On 17-Jul-08, at 11:12 PM, Wendy Smoak wrote:
I gather this is the reason that the commits (r677787 to r677789) for
the Maven Artifact release that Oleg just called a vote on look like
they were done by Jason?
I'm really not comfortable with svn credentials being shared like
that.
They are not being shared. Hudson is running as a sand-boxed user
where I have setup my credentials, so that the releases can be fully
automated where the same set of attributes are used across the board.
I tested my credentials, they work. The release plugin is not very
graceful when things at the SVN bork. I was striving for a QA'd
process so I took into account everything. The machine is secure and
the account is secure. So now that you know that do you still think
it's a problem?
FWIW, Continuum lets you enter your svn credentials when you do a
release, and uses those for the related commits.
It's not relevant to me what Continuum can or cannot do at this point.
The community took a severe hit and Hudson has way more active
developers and it's easier to develop features because it has an
extensible API. You can look at the charts. The core group for
Continuum consists of one person: "olamy". Contrast that with the core
group in Hudson which is at least 10 people.
http://svnsearch.org/svnsearch/repos/ASF/search?path=%2Fcontinuum
http://svnsearch.org/svnsearch/repos/HUDSON/search
So it's nice to say Continuum has this or that, but who's going to fix
it? Kohsuke and company push out releases super frequently and
sometimes even every week. There's just no comparison in my mind. I
have limited time I simply can't afford to invest anything in
Continuum. So for one feature Continuum might have I think what I have
setup with the sandboxed Hudson user is a reasonable compromise. As a
policy we can decide as a PMC what's acceptable but the setup I have
is secure as far as I'm concerned.
Also I've had 7 people actually take the Hudson bundle and run the
Maven 2.1 ITs. That's never happened before and it's because Hudson is
so easy to make a bundle, unpack it with the Maven jobs and boom you
have a fully functional Maven environment.
--
Wendy
On Mon, Jul 7, 2008 at 8:47 AM, John Casey <[EMAIL PROTECTED]>
wrote:
The rest of this release infrastructure has simply been
configuration of
hudson and nexus - nexus, to provide a staging ground for releases
- to
configure release jobs that deploy to this staging location instead
of the
real release repository...just generalizing on configuration that
we all
have in our personal settings.xml files by now. Jason's credentials
are used
for SVN and SSH where necessary, and I've created a new GPG key for
use in
this CI system, then signed it with my own key. That key ID is:
84B54612.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Thanks,
Jason
----------------------------------------------------------
Jason van Zyl
Founder, Apache Maven
jason at sonatype dot com
----------------------------------------------------------
People develop abstractions by generalizing from concrete examples.
Every attempt to determine the correct abstraction on paper without
actually developing a running system is doomed to failure. No one
is that smart. A framework is a resuable design, so you develop it by
looking at the things it is supposed to be a design of. The more
examples
you look at, the more general your framework will be.
-- Ralph Johnson & Don Roberts, Patterns for Evolving Frameworks
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]