On Mon, Jun 8, 2015 at 9:40 AM, Cédric Champeau <[email protected]> wrote: > We are not using the Apache CI servers for that but our own CI server. IMHO > you should make a difference between building and checking. Building should > be automated as much as possible. Checking the release is a human job. > There are lots of reasons why we stopped releasing from a local computer > years ago.
Who has access to the keys? How are they secured, and what's the plan for going forward with that? (and this should all be documented) I ask this because I know of more than one project that has had a 'centralized key' to sign with; but which the PMC didn't control; and that eventually caused problems when the person with access to the key disappeared from the community. As Jake said, I personally wouldn't entrust keys to the ASF's general purpose CI infrastructure, but I haven't seen anything that immediately sets off klaxons in my head. --David --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
