ppkarwasz commented on issue #171:
URL:
https://github.com/apache/tooling-trusted-release/issues/171#issuecomment-2971835362
> There is a revision attached to drafts and a failed vote is returned to
the Compose state allowing new files to be output.
I didn't notice, can the release vote point to a specific revision then? The
link included in vote e-mails should point to something immutable.
> Also in the Finish step we allow files to have rc tags removed from their
names.
>
> I'm not sure if this will play well Nexus.
The `rc` tag **must not appear in the content** of the binaries we produce,
as this would break reproducibility checks. We can certainly retain `rc` in the
filenames of the distribution archives.
Has there been any discussion on an integration between ATR and
Nexus/Central Portal? The Central Portal expects a ZIP archive containing JARs
arranged in the standard Maven Repository layout. In Log4j, we could adapt our
build process as follows:
1. **Create an ATR release** by providing the SHA1 of a commit from the
`logging-log4j2` repository.
2. **ATR could generate a reproducible source archive** from the contents of
that commit. For some projects (e.g., `log4cxx`), where the source is the only
release artifact, this would complete the process.
3. **For Log4j**, we could use GitHub Workflows to upload additional
artifacts to ATR, such as:
* A ZIP archive of the JARs, formatted for Central Portal.
* An SBOM
* An archive with unit test results.
All artifacts could be accompanied by *in-toto* attestations instead of
traditional signatures, to ensure provenance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
