> Just to clarify, my understanding is that Infra is typically responsible > for creating the signing key only for TLP releases and for projects > participating in the Automated TLP Releases (ATR) program. > I might be wrong but that’s my understanding.
Yes. That's what I also wrote, that this might be not relevant to PPMC, but at least my interpretation of the policy is that if the key is not provided by INFRA and the process reviewed and approved by Infra AND it's not clear whether the process of verification includes reproducibility check AND from the vote responses it's not clear which checks (including reproducibility) have been done, it's just not good "ASF release". Also - I honestly have trouble with giving anything other than -1. I've been asked (by you) - to take a look and see if I can vote +1, but personally - I can't because I don't even know how (after spending quite a good deal of time and effort to find out) how to verify and check the reproducibility - which is a MUST condition on automated signing. It's not optional for a release that we could label as an "ASF release" IMHO. And I am a fresh mentor or IPMC member - so I do not know what is the "prior art" here - I know it's ok for the release to not be fully compliant with all expectations, maybe other more experienced mentors can chime in here, but IMHO there should be some way of stating `Yep we can do the release even if it's not following all the "ASF Release" checks` - maybe there is a way to mark a release as such "not fully compliant" - or maybe we do not care for PPMCs and it's not as "legally binding" as regular release. I'd love to hear from others what's the practice (but also it won't change my - 1, not until I learn how to check reproducibility of the artifacts). J.
