We are not using the Apache CI servers for that but our own CI server. IMHO you should make a difference between building and checking. Building should be automated as much as possible. Checking the release is a human job. There are lots of reasons why we stopped releasing from a local computer years ago.
2015-06-08 15:36 GMT+02:00 Jake Farrell <[email protected]>: > No debate, the Apache CI servers are not intended to produce release > artifacts and should not be used for this purpose. The release manager > should build the artifacts locally and sign them before uploading them to > be tested and voted on. Most projects have this process scripted out fully > and will run the same script run on jenkins and then if a release flag is > used sign and upload the artifacts accordingly (would also recommend making > a template of the vote email so links and other details are not hand > edited). If you would like any examples please let me know > > -Jake > > > On Mon, Jun 8, 2015 at 8:55 AM, Cédric Champeau <[email protected] > > > wrote: > > > Well I guess the debate is because of Groovy and our use of robot keys, > so > > "should" vs "must". If it's a should, I think we're ok. The reason we use > > robot signing is automation. We want to avoid as many human intervention > in > > the release process as possible. That is to say, in the end, the whole > > release process should be automated, only checking the artifacts should > be > > human based. This is not possible if we involve individual signatures. > > Basically, for Groovy, before joining Apache, we used to automate > > everything but checking the artifacts. It worked pretty well so far... Of > > course one option is to put our private keys into the CI server but > ahem... > > I don't really like the idea of having my private key in the wild. > > > > 2015-06-08 14:50 GMT+02:00 Jake Farrell <[email protected]>: > > > > > The release manager should use their individual key, details on signing > > and > > > keys are available at [1] > > > > > > -Jake > > > > > > [1]: http://www.apache.org/dev/release-signing.html > > > > > > On Mon, Jun 8, 2015 at 2:59 AM, Roman Shaposhnik <[email protected]> > wrote: > > > > > > > Hi! > > > > > > > > my recollection is that the collective opinion > > > > was to discourage the use of KEYS of robots > > > > for signing the releases and prefer individuals > > > > do that with their keys. > > > > > > > > I remember a thread to that effect, but I cant > > > > google it. Am I misremembering? > > > > > > > > Thanks, > > > > Roman. > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [email protected] > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > >
