sbp opened a new issue, #751: URL: https://github.com/apache/tooling-trusted-releases/issues/751
When staging versions are uploaded to third party distribution platforms such as DockerHub, MavenCental, or PyPI, we should consider allowing remote promotion of those artifacts to production releases, if possible. This is a minor performance improvement. It can't be counted as a reduction in complexity: if anything, it's an increase in complexity, because for platforms that don't support remote upgrade we will still have to support uploading from ATR again. The files are always on ATR, so they will never need to be re-fetched, which means that there are no performance gains there. There are some caveats to this. We would have to track the exact revision of files that were uploaded in the staging version. We should do this anyway, of course, but then when allowing promotion we also have to check that the files haven't been updated in subsequent revisions. We have to check that the files being promoted are the same as those that were voted on. This is an extra check that we don't currently have to do in ATR because the artifacts in the finish phase are, by definition, those that have been voted on. We also have to consider how the promotion works on each platform. This would replace uploading from ATR, so there wouldn't be any extra complexity there. From a quick browse of documentation, ArtifactHub doesn't support promotion because it [only records metadata](https://artifacthub.io/docs/topics/faq/#can-i-install-applications-directly-from-artifact-hub); DockerHub [only supports promotion if using mutable tags](https://docs.docker.com/docker-hub/repos/manage/hub-images/immutable-tags/); Maven Central [does support promotion](https://central.sonatype.org/publish/publish-portal-api/#publish-or-drop-the-deployment); npm supports [mutable tags that it calls dist-tags](https://docs.npmjs.com/adding-dist-tags-to-packages); and PyPI does not support promotion from Test PyPI to PyPI and we have received a report that projects use PyPI for staging anyway. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
