Re: [lldb-dev] [Release-testers] LLVM 11.0.1-final has been tagged

[Brian Cain via lldb-dev]

Uploaded Ubuntu 16, SLES12.

 $ cat clang+llvm-11.0.1-x86_64-linux-sles12.4.tar.xz.sha256
clang+llvm-11.0.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sha256
77cd59cf6f932cf2b3c9a68789d1bd3f7ba9f471a28f6ba25e25deb1a0806e0d
 clang+llvm-11.0.1-x86_64-linux-sles12.4.tar.xz
67f18660231d7dd09dc93502f712613247b7b4395e6f48c11226629b250b53c5
 clang+llvm-11.0.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz

On Tue, Jan 5, 2021 at 9:21 PM Tom Stellard via Release-testers <
release-test...@lists.llvm.org> wrote:

> Hi,
>
> I've tagged LLVM 11.0.1-final.  Testers can upload the final binaries now.
>
> -Tom
>
> ___
> Release-testers mailing list
> release-test...@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/release-testers
>


-- 
-Brian
___
lldb-dev mailing list
lldb-dev@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev

[lldb-dev] RFC: Automated signing of release files

[Tom Stellard via lldb-dev]

Hi,

I would like to automate the signing of some of the release files we 
upload to the release page, starting with the source tarballs.  My 
initial goal is to have a CI job that automatically creates, signs, and 
uploads the source tarballs, whenever a new release is tagged.  I would 
also like the key used for signing to be a 'project' key and not 
someone's personal key.


Once this is done, I would like to implement something similar for the 
release binaries, so that testers could upload the binaries and have 
them automatically signed.  This will be more difficult than the source 
tarballs, because the binaries are built by individual testers, so we 
would need to prove that they come from a trust-worthy source.


Implementing these changes, will help streamline the release process and 
let release managers avoid doing a lot of manual mistake-prone tasks.


The questions I have for the community are:

Is this a good idea?

How can I implement this securely?

Thanks,
Tom

___
lldb-dev mailing list
lldb-dev@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev

Re: [lldb-dev] [llvm-dev] RFC: Automated signing of release files

[Tom Stellard via lldb-dev]

On 1/12/21 9:22 PM, Deep Majumder wrote:

Hi Tom,
Although I am new to the community, I think this a great idea. One 
question I have is how would the project key be securely stored. (Like 
where to store it and how to prevent leaks, I believe GitHub has a 
secrets feature. Would something similar be used?)


I'm not sure, this is one thing I would like advice about.  If we used 
GitHub actions to do the signing, then using secrets would be one 
option.  I think we could also host our own GitHub Actions runner and 
store the keys there.


-Tom


Warm regards,
Deep

On Wed, Jan 13, 2021, 10:43 AM Tom Stellard via llvm-dev 
mailto:llvm-...@lists.llvm.org>> wrote:


Hi,

I would like to automate the signing of some of the release files we
upload to the release page, starting with the source tarballs.  My
initial goal is to have a CI job that automatically creates, signs, and
uploads the source tarballs, whenever a new release is tagged.  I would
also like the key used for signing to be a 'project' key and not
someone's personal key.

Once this is done, I would like to implement something similar for the
release binaries, so that testers could upload the binaries and have
them automatically signed.  This will be more difficult than the source
tarballs, because the binaries are built by individual testers, so we
would need to prove that they come from a trust-worthy source.

Implementing these changes, will help streamline the release process
and
let release managers avoid doing a lot of manual mistake-prone tasks.

The questions I have for the community are:

Is this a good idea?

How can I implement this securely?

Thanks,
Tom

___
LLVM Developers mailing list
llvm-...@lists.llvm.org 
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev



___
lldb-dev mailing list
lldb-dev@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev