Re: [I] Allow multiple release candidates for a release (tooling-trusted-release)

Fri, 13 Jun 2025 15:09:17 -0700 


ppkarwasz commented on issue #171:
URL: 
https://github.com/apache/tooling-trusted-release/issues/171#issuecomment-2971835362

   > There is a revision attached to drafts and a failed vote is returned to 
the Compose state allowing new files to be output.
   
   I didn't notice, can the release vote point to a specific revision then? The 
link included in vote e-mails should point to something immutable.
   
   > Also in the Finish step we allow files to have rc tags removed from their 
names.
   > 
   > I'm not sure if this will play well Nexus.
   
   The `rc` tag **must not appear in the content** of the binaries we produce, 
as this would break reproducibility checks. We can certainly retain `rc` in the 
filenames of the distribution archives.
   
   Has there been any discussion on an integration between ATR and 
Nexus/Central Portal? The Central Portal expects a ZIP archive containing JARs 
arranged in the standard Maven Repository layout. In Log4j, we could adapt our 
build process as follows:
   
   1. **Create an ATR release** by providing the SHA1 of a commit from the 
`logging-log4j2` repository.
   2. **ATR could generate a reproducible source archive** from the contents of 
that commit. For some projects (e.g., `log4cxx`), where the source is the only 
release artifact, this would complete the process.
   3. **For Log4j**, we could use GitHub Workflows to upload additional 
artifacts to ATR, such as:
   
      * A ZIP archive of the JARs, formatted for Central Portal.
      * An SBOM
      * An archive with unit test results.
   
      All artifacts could be accompanied by *in-toto* attestations instead of 
traditional signatures, to ensure provenance.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org
For additional commands, e-mail: dev-h...@tooling.apache.org

Reply via email to