On 4/2/20 4:15 PM, Alec Ari via Emc-developers wrote:
I'm all for Andy being the release manager, does this mean seb will share the keys with him?
I have confidence in Andy and and John to do a good job managing the release.
There are two sets of gpg keys involved, one that signs the release tags in our git repo and one that signs the debian archive.
The debian archive signing is straight-forward, and not really part of the Release Manager's responsibility - in my head there's a separate role of "debian archive admin" that does that. I'm happy to keep doing this work.
Release-tag signing *is* the Release Manager's job, and it's intimately connected to how releases work, at least as far back as the 2.0 days. The RM signals that a particular commit is an official release by making a signed tag of the commit (details in the ReleaseCheckList wiki page).
The buildbot automation uses scripts in our repo to detect this special tag and upload the resulting debs to a special "release" repo (http://buildbot.linuxcnc.org/release/dists/). The Debian Archive Admin copies the new release debs from there to the official deb archive on wlo, and signs the updated repo with the debian archive signing key.
The buildbot's automation uses `scripts/version-is-release` to detect release tags. Any tag signed by any of the keys in `gnupg/pubring.gpg` are accepted. So a Release Manager can just add their public key to that keyring and check it in.
-- Sebastian Kuzminsky _______________________________________________ Emc-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/emc-developers
