asf-tooling commented on issue #697:
URL:
https://github.com/apache/tooling-trusted-releases/issues/697#issuecomment-4410109139
<!-- gofannon-issue-triage-bot v2 -->
**Automated triage** — analyzed at `main@2da7807a`
**Type:** `documentation` • **Classification:** `actionable` •
**Confidence:** `medium`
**Application domain(s):** `shared_infrastructure`
### Summary
Issue #697 requests adding user-facing documentation about reproducible
builds, automated release signing, SBOMs, and OpenSSF best practices to the ATR
project. These are existing capabilities in the codebase (SBOM generation, key
management, signing) that lack user-facing documentation. @Phanindra899
volunteered to work on it but is blocked on completing the mailing list
introduction per @sbp's contribution requirements. No PR has been submitted yet.
### Where new code would go
- `docs/reproducible-builds.md` — new file
New documentation file covering reproducible builds and automated release
signing per the issue's item (1)
- `docs/sbom.md` — new file
New documentation file covering SBOM generation and validation per the
issue's item (2)
- `docs/openssf.md` — new file
New documentation file covering OpenSSF Best Practices Badge per the
issue's item (3)
### Proposed approach
This is a pure documentation task. The issue asks for user-facing
documentation covering three topic areas: (1) reproducible builds and automated
release signing, (2) SBOM (Software Bill of Materials), and (3) OpenSSF Best
Practices. The content should reference and build upon the linked ASF wiki
pages while explaining how these concepts specifically apply to ATR. Since I
don't have visibility into the existing documentation directory structure (no
docs/ directory was included in the files provided), the exact file locations
are uncertain.
The work is currently blocked on contributor onboarding — @Phanindra899
needs their mailing list introduction to appear in the archives before being
assigned. No code changes are needed; only new markdown documentation files
explaining ATR's support for these security practices.
### Open questions
- Where does user-facing ATR documentation currently live? Is there an
existing docs/ directory, a wiki, or are docs served from the application
itself (e.g., via templates)?
- Has @Phanindra899's mailing list introduction been resolved, or should
this be reassigned to another contributor?
- Should the documentation be structured as separate pages per topic or a
single combined security practices page?
- What level of detail is expected — just linking to existing ASF wiki pages
with ATR-specific context, or comprehensive standalone documentation?
### Files examined
- `.asf.yaml`
- `.github/PULL_REQUEST_TEMPLATE.md`
- `.github/dependabot.yml`
- `.github/labeler.yml`
- `.github/linters/.markdown-lint.yml`
- `.github/workflows/allowlistchecker.yml`
- `.github/workflows/analyze.yml`
- `.github/workflows/build.yml`
---
*Draft from a triage agent. A human reviewer should validate before merging
any change. The agent did not run tests or verify diffs apply.*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
