sbp commented on issue #397: URL: https://github.com/apache/tooling-trusted-releases/issues/397#issuecomment-3648035062
We discussed this in a call and decided to restrict the sources of SVN and KEYS files significantly, to their respective locations on ASF servers. Therefore we won't have to accept a full URL, just a fragment of the URL corresponding to the project. We also discussed file detection and agreed to hard fail uploads that are known to be corrupt. We will consider Apache Tika for further scanning, potentially on a separate GH runner. We were thinking about what kinds of types may be uploaded, and discussed the need to limit documentation uploaded to only release notes. There should be no need, for example, to accept image file types. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
