Adding the Incubator general list. My view would be that non-snapshot binary artifacts should be signed with a personal signing key - ideally the signing key that was used to release the related source release. Unfortunately, this would mean adding a user's signing key to the Apache GitHub account as a secret so that the automated GitHub Action job could access it. I don't see how we could allow personal signing keys to be added like this.
On Mon, 3 Jul 2023 at 10:18, tison <[email protected]> wrote: > > cc security > > Missed in the first place. > > Best, > tison. > > > tison <[email protected]> 于2023年6月29日周四 22:21写道: >> >> Hi security team members, >> >> I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding. >> >> I already verify that GitHub Actions work well for automatically deploying >> OpenDAL Java binding[2]. >> >> When integrating it with upstream (apache/incuabtor-opendal), I met a >> problem that deploying Maven projects requires NEXUS credentials. For my >> personal repo, I can config my Apache ID and password as secrets. For apache >> repos, it requires handing over the credentials to INFRA team member. Even I >> can trust the member, it's a bit less than awesome. >> >> Fortunately, INFRA provides two org-wise secrets NEXUS_USER and NEXUS_PW for >> doing so[3]. But it's limited to deploying snapshots only. INFRA member >> suggested me to consult security team for approval for such automatic >> deployment and they would help to grant related permissions if approved. >> >> Please help review the request to support ASF projects deploying Maven >> project via GitHub Actions. >> >> Best, >> tison. >> >> [1] http://github.com/apache/incubator-opendal >> [2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752 >> [3] >> https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192 >>
