On Mon, 2019-04-01 at 16:11 +0200, Georg Henzler wrote: > Hi Robert, > > thanks for clarifying! > > > ... It's an interesting read, if you have the time. > > [2] is a 94 messages thread, impressive. > > > > The current ASF release policy is at [1], and it states that > > > > Before casting +1 binding votes, individuals are REQUIRED to > > download > > all signed source code packages onto their own hardware, verify > > that > > they meet all requirements of ASF policy on releases as described > > below, validate all cryptographic signatures, compile as provided, > > and > > test the result on their own platform. > > So if we really want to get fancy, then we make Jenkins provide a > docker > image (either for download or push it to a docker registry). That > docker > image could then contain both the staged release artifacts and a > sling > starter instance. "docker run" could > > * check the artifacts (so basically run check_staged_release.sh, but > from within the docker image that contains all artifacts and all > public > keys of the committers, you remember the PR to improve that > behaviour > that is still open :) ) > * compile the sources > * run a Sling instance with the released artifacts - this would be > great > to have quickly an instance ready for local testing (I think making > it > really easy for everyone to not only check the signatures but also > the > functionality would definitely bring value) > > Using this approach IMHO we would fulfil [1].
For the relese verification part I would propose a different approach, but still Jenkins-centric. Jenkins already builds tags, so we are free to check the Jenkins build tag results as part of the release verification. And we can improve Jenkins to also build the starter and run the ITs, if needed. > A cli tool would not really be needed for this, I'd rather put all > this > code native to Jenkins. The big benefit of the "docker > image+Jenkins" > approach would be that the release finish actions are completely > done > automatically (e.g. performed automatically on Sunday without manual > intervention :)) Yes, given that nothing is broken in Jenkins :-) On a more serious matter, I would suggest that you start a discussion on legal-discuss to try and gauge which parts of the automation you propose are feasible. Expect some pushback, but in the end this might go through and we might gain some time. Thanks, Robert
