www-release-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Fox <bri...@infinity.nu>
Subject Re: Release process tooling
Date Fri, 23 Jul 2010 13:18:54 GMT
With the exception of the rest of the PMC signing the artifacts,
everything else you described is currently done automatically by using
Nexus for Maven artifacts. We could in theory extend it to be able to
handle the staging of distros as well via a plugin.

On Thu, Jul 22, 2010 at 2:37 PM, Hyrum K. Wright
<hyrum_wright@mail.utexas.edu> wrote:
> I've been thinking a bit lately about the way we can provide better
> tools for projects to release.  The overarching goal is to provide
> tools which reduce the barriers for projects to create high-quality
> verified and signed releases.  This is a brain dump of my thoughts,
> with which I'd like to stimulate some discussion.
>
> There are a lot of bikeshedable components, but generally I'm thinking
> about the following workflow:
>  * RM creates artifact(s)
>  * RM signs the artifact(s)
>  * RM registers the artifact(s) using a script on {people,dist,?}.apache.org
>  * PMC members go to a webapp to download the artifact(s)
>  * offline, the PMC members verify and sign the artifact(s)
>  * PMC members then upload signatures through the webapp
>  * webapp verifies:
>    a) the signature is valid
>    b) the signer is authorized to sign the artifact(s) (i.e., is a
> member of the PMC)
>  * RM retrieves the signatures via script or webapp
>  * RM can then run script to promote the artifact(s), with signatures
> and hashes, to the distribution area
>
> Some of this reflects my own bias as the Subversion RM for the past
> couple of years, but a lot of it is the result of various
> conversations with Paul, Henri and other folks.  Aside from the
> questions of storage and other minutiae, am I missing anything?
>
> -Hyrum
>

Mime
View raw message