sbp commented on issue #851: URL: https://github.com/apache/tooling-trusted-releases/issues/851#issuecomment-4291216903
If ATR only enforced mandatory policy, check results would be either `success` or `blocker`, and nothing else. Why might we have other kinds of result? * When ATR is **extending ASF policy**, especially for security reasons. ATR blocks certain file types which are not expressly forbidden by our policy, but standard security practices deem these file types unsafe. In this case we intend to suggest policy changes, but until then they are still ATR specific extensions. * When **ASF policy contains a recommended item**. In this case, we cannot block a release, but we can inform the release manager that our policy expressly recommends against what ATR has detected. * When there are **structural improvements** that may be made which are not matters of ASF release policy. For example, in a reproducible builds project we may detect a `.tar` that does not use a standard reproducible order. Perhaps the files are reversed in order by mistake, which is still reproducible but unconventional. * When there is **uncertainty in the result**. The result may be _either_ `success` _or_ `blocker`, but we're not sure which, and want to bring this to the attention of the release manager. Extensions of ASF policy still manifest as `blocker`, but not necessarily as check results. In the example of unsafe files, these are blocked during upload, in the quarantine phase. Recommended items and structural improvements are _suggestions_, and constitute true _choices_ of the release manager and binding voters. They need to be made aware of these suggestions, but they are optional from the point of view of policy. The release manager decides whether to advance to vote, and the binding voters decide whether to advance to finish. It is not possible for ATR to make these decisions. Uncertain results are not suggestions, but concerns. They are expressions that further work is necessary to determine the actual outcome type. Unlike suggestions, concerns are resolved by further _research_. The release manager determines whether the check was `success` or `blocker` themselves, starting from the clues that ATR provides. (There may also be _uncertain suggestions_, but let's omit those from consideration for the sake of simplicity.) Perhaps our result types should better reflect this? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
