www-release-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hyrum K. Wright" <hyrum_wri...@mail.utexas.edu>
Subject Release process tooling
Date Thu, 22 Jul 2010 18:37:49 GMT
I've been thinking a bit lately about the way we can provide better
tools for projects to release.  The overarching goal is to provide
tools which reduce the barriers for projects to create high-quality
verified and signed releases.  This is a brain dump of my thoughts,
with which I'd like to stimulate some discussion.

There are a lot of bikeshedable components, but generally I'm thinking
about the following workflow:
 * RM creates artifact(s)
 * RM signs the artifact(s)
 * RM registers the artifact(s) using a script on {people,dist,?}.apache.org
 * PMC members go to a webapp to download the artifact(s)
 * offline, the PMC members verify and sign the artifact(s)
 * PMC members then upload signatures through the webapp
 * webapp verifies:
    a) the signature is valid
    b) the signer is authorized to sign the artifact(s) (i.e., is a
member of the PMC)
 * RM retrieves the signatures via script or webapp
 * RM can then run script to promote the artifact(s), with signatures
and hashes, to the distribution area

Some of this reflects my own bias as the Subversion RM for the past
couple of years, but a lot of it is the result of various
conversations with Paul, Henri and other folks.  Aside from the
questions of storage and other minutiae, am I missing anything?


View raw message