This is an automated email from the ASF dual-hosted git repository.
wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-docs.git
The following commit(s) were added to refs/heads/main by this push:
new 65dff34 Simplify phases and other improvements (#7)
65dff34 is described below
commit 65dff34b7c5f11eaf6eb6a4d799c236ade5fa916
Author: Dave Fisher <[email protected]>
AuthorDate: Mon Feb 3 10:40:46 2025 -0800
Simplify phases and other improvements (#7)
---
apache-trusted-release/cve-process.md | 7 +++
apache-trusted-release/data-model.md | 2 +-
apache-trusted-release/distributions.md | 4 +-
apache-trusted-release/github-build.md | 5 ++
apache-trusted-release/lifecycle.md | 80 ++++++++++++++--------------
apache-trusted-release/platform.md | 8 +--
apache-trusted-release/requirements.md | 1 +
apache-trusted-release/svn-dist.md | 9 ++++
apache-trusted-release/test-distributions.md | 35 ------------
9 files changed, 70 insertions(+), 81 deletions(-)
diff --git a/apache-trusted-release/cve-process.md
b/apache-trusted-release/cve-process.md
new file mode 100644
index 0000000..08b394c
--- /dev/null
+++ b/apache-trusted-release/cve-process.md
@@ -0,0 +1,7 @@
+# Update SBOMs - CVE Process "Phase"
+
+When CVEs are announced there needs to be co-ordination between Security's
cveprocess.apache.org and the ATR.
+
+For every impacted release with an SBOM the SBOMs will need to be updated.
+
+> Note where this is an explicit phase or not depends on integration
discussions with the security team.
diff --git a/apache-trusted-release/data-model.md
b/apache-trusted-release/data-model.md
index 9a3b3d2..0aab1df 100644
--- a/apache-trusted-release/data-model.md
+++ b/apache-trusted-release/data-model.md
@@ -32,7 +32,7 @@ One or more product lines with separate releases including
the main one. A produ
10. Release lists:
- Candidates
- Current
- - Revoked
+ - Archived
### Public Signing Keys
diff --git a/apache-trusted-release/distributions.md
b/apache-trusted-release/distributions.md
index 77d90ec..0ff9265 100644
--- a/apache-trusted-release/distributions.md
+++ b/apache-trusted-release/distributions.md
@@ -1,12 +1,12 @@
# Distribute Phase
-Support will be added to the ATR for distribution of release packages to third
parties in a priority order.
+Support will be added to the ATR for distribution of release and test packages
to package managers in a priority order.
## Package Managers
1. Maven Central
2. PyPi
-3. Artifactory
+3. jFrog
4. DockerHub
5. Node
6. NuGet
diff --git a/apache-trusted-release/github-build.md
b/apache-trusted-release/github-build.md
new file mode 100644
index 0000000..b55ce1a
--- /dev/null
+++ b/apache-trusted-release/github-build.md
@@ -0,0 +1,5 @@
+# GitHub Build
+
+The release candidate is created using a properly reviewed GHA workflow.
+
+We will need a GHA that creates the Release Candidate in the ATR.
diff --git a/apache-trusted-release/lifecycle.md
b/apache-trusted-release/lifecycle.md
index 1288129..b3548a4 100644
--- a/apache-trusted-release/lifecycle.md
+++ b/apache-trusted-release/lifecycle.md
@@ -2,17 +2,21 @@
A Release will go through a lifecycle of **stages** and **phases**.
-Stages include **Build**, **Candidate**, **Current**, and **Revoked**.
-The ATR does not manage build stage releases. It takes over on the transition
from the build to the candidate stage.
+Stages include **Build**, **Candidate**, **Current**, and **Archived**.
+The ATR does not manage build stage and legacy releases. It takes over on the
transition from the build to the candidate stage.
Stages control where on the **ATR** Website a release can be found.
Phases are states or activities during a Release's life cycle.
```mermaid
flowchart TD
+ subgraph Build Stage
+ A[GHA Secure Build]
+ end
+ subgraph Legacy
+ B[Legacy SVN Dist]
+ end
subgraph Apache Trusted Release
- A[GHA Secure Release Process]
- B[Current SVN Build Process]
C@{ shape: docs, label: "Release Candidate" }
A -->|automatically triggered| C
B -->|manually triggered| C
@@ -21,12 +25,13 @@ flowchart TD
C --> D
DD@{ shape: process, label: "Sign Candidate" }
D -->|pass| DD
- GG@{ shape: processes, label: "Distribute Test" }
+ GG@{ shape: processes, label: "Distribute (Test)" }
E@{ shape: sl-rect, label: "Release Vote" }
JJJ@{ shape: dbl-circ, label: "Passes" }
F@{ shape: dbl-circ, label: "Failed" }
E -->|pass| JJJ
E -->|fail| F
+ GG -->|fail| F
D -->|fail| F
F -->|new candidate| C
DD --> GG
@@ -36,51 +41,41 @@ flowchart TD
JJ@{ shape: docs, label: "Release" }
JJJ --> JJ
G@{ shape: processes, label: "Distribute" }
- H@{ shape: trap-t, label: "Manual Distribution" }
- G -->|optional| H
G --> I
- FF@{ shape: dbl-circ, label: "Distribution\nFailed" }
- G -->|failure| FF
I[Announce Release]
- FF -->|retry| G
- FF -->|abandon| K
- H -->|manually triggered| I
+ II[Migration]
+ L@{ shape: trap-t, label: "Update SBOMs" }
J@{ shape: dbl-circ, label: "Released" }
- JJ --> G
- I --> J
- K@{ shape: dbl-circ, label: "Revoked" }
- L@{ shape: trap-t, label: "Announce CVEs" }
- J -->|revoke| K
J -->|cves| L
L -->|record cves| J
+ JJ --> G
+ I --> J
+ B -->|migration| II
+ II -->|current| J
+ subgraph Archived Release Stage
+ K@{ shape: dbl-circ, label: "Archived" }
+ end
+ G -->|failure| K
+ II -->|archived| K
+ J -->|archive| K
end
end
```
## Phases
-**Announce CVEs**
-: At some moment as or after a release happens a project may announce CVEs
that either impact or are solved by a release. The security team and PMC manage
CVEs including announcements and publishing via cveprocess.apache.org The ATR
will update SBOMs with new CVEs.
-
-> Note where this is an explicit phase or not depends on integration
discussions with the security team.
-
**Announce Release**
: Send a compliant announcement of the release. This template will include
release metadata.
+**Archived**
+: A Release in this stage/phase has been archived, revoked, or abandoned.
+
**[ATR Platform](./platform.md)**
: Apache Trusted Release is a service with a web UI and restful API for
managing the lifecycle of project releases.
-**Current SVN Build Process**
-: This is our current SVN repository process for setting up a release
candidate. Trigger the ATR automation by including release metadata.
-
**[Distribute](./distributions.md)**
-: Release distribution will be automated for many channels.
-
-**[Distribute Test](./test-distributions.md)**
-: Release Candidates may be distributed to Test repositories.
-
-**Distribution Failed**
-: A Release may fail one or more of its Distribution Steps. This may be due to
a problem with the destination. The project will need to manually retry. The
distribute steps should include reasonable retry logic. The Release Manager
will need to decide the next phase.
+: Release and Test distributions will be automated for many channels. An email
will be sent about package managers need which need manual distribution.
+Once that is complete the Release Manager will need to move to the next Phase.
If all distributions automatically complete then moving to the next phase is
automatic,
**[Evaluate Candidate](./evaluate.md)**
: Report on the Candidate by performing numerous checks for policy compliance.
Fails if compliance minimums are unmet.
@@ -89,19 +84,22 @@ flowchart TD
: A Release Candidate may end in this state. The project can either abandon it
or update and resubmit it.
The Release Manager will need to decide the next phase.
-**GHA Secure Release Process**
+**[GHA Secure Build](./github-build.md)**
: In a GitHub workflow the release candidate is built and validated following
the Security Release Policy.
-**Manual Distribution**
-: Some channels either require manual steps, or they are yet to be automated.
An email will be sent to list which package managers need a manual ditribution.
Once that is complete the Release Manager will need to move to the next Phase.
+**[Legacy SVN Dist](./svn-dist.md)**
+: This is our current SVN repository process for setting up a release
candidate. Trigger the ATR automation by including release metadata.
+
+**[Migration](./svn-dist.md)**
+: We need a phase for migration of existing current and archived releases from
the legacy platform into the ATR data store.
**Passes**
: The Release Candidate has been accepted. Convert the candidate into a
Release and proceed to Distribute and Announce the Release.
-**Release**
+**[Release](./data-model.md)**
: The release is a folder of files including metadata, SBOMs, public keys,
signatures, and checksums.
-**Release Candidate**
+**[Release Candidate](./data-model.md)**
: A release candidate consists of a folder of release files including
metadata, SBOMs, public keys, signatures, and checksums.
**[Release Vote](./vote.md)**
@@ -110,8 +108,10 @@ flowchart TD
**Released**
: Once the Release is distributed and announced, this Release should remain in
this phase as long as it is available.
-**Revoked**
-: A Release in this stage/phase has been archived, revoked, or abandoned.
-
**[Sign Candidate](./digital-signatures.md)**
: Optionally sign packages using digital certificates through a service.
+
+**[Update SBOMs](./cve-process.md)**
+: At some moment as or after a release happens a project may announce CVEs
that either impact or are solved by a release. The security team and PMC manage
CVEs including announcements and publishing via cveprocess.apache.org The ATR
will update the releases SBOMs with new CVEs.
+
+> Note where this is an explicit phase or not depends on integration
discussions with the security team.
diff --git a/apache-trusted-release/platform.md
b/apache-trusted-release/platform.md
index 7f3c901..4409fbc 100644
--- a/apache-trusted-release/platform.md
+++ b/apache-trusted-release/platform.md
@@ -19,9 +19,10 @@ See [Data Model](./data-model.md) for a discussion of the
objects managed by the
### Release Stages
-1. Current Releases
+1. Build Releases - while not managed by the ATR there are bridges.
2. Candidate Releases
-3. Revoked / EOL / Attic Releases
+3. Current Releases
+4. Archived / Revoked / EOL / Atticked Releases
> “Nightlies” is for a later phase.
@@ -32,6 +33,7 @@ See [Release Lifecycle](./lifecycle.md) for how phases are
chained together to p
### Release CVEs
1. CVE metadata
+2. SBOM updates
3. Affected releases
4. Release that resolves CVE(s)
@@ -39,7 +41,7 @@ See [Release Lifecycle](./lifecycle.md) for how phases are
chained together to p
The co-ordinates make up the external path to objects. The metadata database
provides the map to the local path.
-1. Stage (Candidate, Current, Revoked, …)
+1. Stage (Candidate, Current, Archived, …)
2. Project (Responsible TLP)
3. Product (Main, Sub-projects)
4. Version (String, latest)
diff --git a/apache-trusted-release/requirements.md
b/apache-trusted-release/requirements.md
index b4bd76f..5998eda 100644
--- a/apache-trusted-release/requirements.md
+++ b/apache-trusted-release/requirements.md
@@ -26,6 +26,7 @@ While reading consider these Notes:
- Incorporate all Project Releases.
- Download page. (migrated/mirrored from dist/release)
- Release Candidate pages. (migrated/mirrored from dist/dev)
+ - Archived download page. (migrated from archives)
- Every project has a management interface.
- Current manual release practice is viewable.
- Automated release status.
diff --git a/apache-trusted-release/svn-dist.md
b/apache-trusted-release/svn-dist.md
new file mode 100644
index 0000000..2284fb5
--- /dev/null
+++ b/apache-trusted-release/svn-dist.md
@@ -0,0 +1,9 @@
+# Legacy Releases from SVN Dist
+
+We have three types of Releases to create using a "Pull from 'Dist'" process.
+
+1. Release Candidates from `dist/dev` as the Release Manager requests from
within the ATR Web UI.
+
+2. Current Releases from `dist/release` this will be used for the initial
migration and may be used from time to time as PMCs use the old methods.
+
+3. Archived Releases which are migrated from the archive if not present in the
Current Releases.
diff --git a/apache-trusted-release/test-distributions.md
b/apache-trusted-release/test-distributions.md
deleted file mode 100644
index 15ff78f..0000000
--- a/apache-trusted-release/test-distributions.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# Test Distribute Phase
-
-Support will be added to the ATR for distribution of release candidate
packages in a priority order.
-
-## Package Managers
-
-1. Maven - repository.apache.org
-2. TEST PyPi
-3. Artifactory
-4. DockerHub
-5. Node
-6. NuGet - Test
-7. ...
-
-### Apache Maven Repository
-
-Use https://repository.apache.org/
-
-### TEST PyPi
-
-
-### Artifactory
-
-Labeled as `TEST` in our jfrog repository.
-
-### DockerHub
-
-Labeled as `TEST` in DockerHub
-
-### Node
-
-
-### NuGet
-
-Need some type of NuGet Test service.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
