[Bug 62391] Jenkins needs the ability to sign tarballs
https://bugzilla.wikimedia.org/show_bug.cgi?id=62391 Antoine hashar Musso has...@free.fr changed: What|Removed |Added Assignee|has...@free.fr |wikibugs-l@lists.wikimedia. ||org --- Comment #3 from Antoine hashar Musso has...@free.fr --- Resetting assignee, I am not working on this. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 62391] Jenkins needs the ability to sign tarballs
https://bugzilla.wikimedia.org/show_bug.cgi?id=62391 Andre Klapper aklap...@wikimedia.org changed: What|Removed |Added Priority|Unprioritized |Normal CC||has...@free.fr, ||innocentkil...@gmail.com, ||krinklem...@gmail.com Component|General/Unknown |Continuous integration -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 62391] Jenkins needs the ability to sign tarballs
https://bugzilla.wikimedia.org/show_bug.cgi?id=62391 --- Comment #2 from Antoine hashar Musso has...@free.fr --- I do not have any free time in March to handle release tarballs / securing Jenkins. If someone else can take the lead there that would be much appreciated. We can most probably use a private Jenkins server for ops/analytics/mw tarball usage. They all have the same need apparently. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 62391] Jenkins needs the ability to sign tarballs
https://bugzilla.wikimedia.org/show_bug.cgi?id=62391 --- Comment #1 from Chris Steipp cste...@wikimedia.org --- Since we've had a number of conversations around this, let me enumerate the options we've talked about. We probably need to just pick a strategy and try it: 1) The Jenkins who does the signing is a private/secured version where we feel comfortable keeping a private key. 2) We put the signing key in an hsm in the datacenter, and make sure someone audits/watches what is being signed. 3) Jenkins signs with a key only to say, This is what Jenkins built. It's up to someone in the release process to verify and sign the tarballs to assert that someone is pretty sure the tarballs were built correctly. -- You are receiving this mail because: You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l