This is an automated email from the ASF dual-hosted git repository.
wave pushed a commit to branch Nomenclature-updates
in repository https://gitbox.apache.org/repos/asf/tooling-docs.git
The following commit(s) were added to refs/heads/Nomenclature-updates by this
push:
new de82d50 Update for lifecycle phases
de82d50 is described below
commit de82d509aa53e89609be99da7b244e325a595163
Author: Dave Fisher <[email protected]>
AuthorDate: Sun Feb 2 13:28:28 2025 -0800
Update for lifecycle phases
---
apache-trusted-release/requirements.md | 49 +++-------------------------------
1 file changed, 4 insertions(+), 45 deletions(-)
diff --git a/apache-trusted-release/requirements.md
b/apache-trusted-release/requirements.md
index 2d6f844..b4bd76f 100644
--- a/apache-trusted-release/requirements.md
+++ b/apache-trusted-release/requirements.md
@@ -33,6 +33,7 @@ While reading consider these Notes:
- Manual triggers.
- Tracking performance.
- Platform includes a RESTful API.
+ - Work with Security Team about integration of CVE information.
- Make switching from current manual release process to a minimal ATR
process very simple.
- Provide operational status to help Infra monitor ATR operations through
the IRD.
@@ -47,55 +48,13 @@ While reading consider these Notes:
- SBOMs and Attestations
- Include dependency and license compliance.
- Provide clear attribution and information about Release Votes.
+ - CVEs
- Certificate and Credential Management
- Manage the signing keys needed for automation.
- Download Page including available SBOM and verification instructions.
- Announcement Email.
-## 5. Automated Actions
+## 5. Release Lifecycle Phases
- These requirements are by category and are not necessarily ordered. Here is
a flow chart showing the
- [Release Lifecycle](lifecycle.md).
+ Here is a flow chart showing the [Release Lifecycle Phases](lifecycle.md).
- - Triggers:
- - Initiation by GH Action and/or GitBox Event.
- - Initiation by metadata commit to the Dist Repository.
- - Manual for steps that may require manual work first.
- - Procedures:
- - Maintain the SBOM.
- - Check compliance:
- - Security Policy.
- - Legal Policy (to the extent possible).
- - Distribution Policy is built into the **ATR**
- - Signing Certificates.
- - Optional Digital Signatures:
- - Windows.
- - macOS.
- - (others TBD).
- - Voting:
- - Perform the Release Vote on the project dev list.
- - PMC votes through ATR, but emails are sent for each.
- (Use a hosted release candidate page that looks like the Download page)
- - Failure:
- - Non-compliance
- - Failed Votes
- - Email status to dev list
- - Distribution:
- - Release to the required Dist Repository.
- - Release to selected optional repositories. (Prioritized list)
- - Maven Central
- - PyPi
- - Node
- - DockerHub
- - Artifactory
- - (others TDB)
- - Candidates:
- - Some release candidates may be distributed to test repositories.
- - Apache staging repository
- - Test PyPi
- - (others TDB)
- - Developers may want to test those artifacts while voting.
- - Release Summary Email.
- - Include instructions about any optional repositories not automated.
- - Once any manual steps are completed, manually trigger the next step.
- - Announce Release via Email.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
