[armedbear-devel] Release signing (was Maven & ABCL)
Morale: this is not terribly complicated, and it would make ABCL available through another distribution channel. OTOH, I can't hide the fact that - besides my own personal convenience for my shared project - probably no-one is using ABCL in Maven projects right now, and having ABCL released through Maven would complicate its release process, not much for technical reasons but for organizational ones (e.g. who keeps ABCL's GPG key? How is it managed?).
Currently Erik maintains the GPG key we currently use for signing. Does anyone have a model by which we could somehow share it? It might be nice to start "rotating" the responsibility for the releases among the four core committers to help take some work off of Erik's plate.
Yes. The key I use for signing as really my own though: I use it to sign all packages I put up for distribution: usocket (when I last did), cl-irc, ABCL, Subversion, py-configparser and maybe others. Within the Subversion project we had a discussion about having a project key or not. We considered that a project key would have to be passed from one to another person, increasing chances of the key getting compromised. Also, the process with a single key means single point of failure. What we considered back then - and are still doing today - is that as many committers as possible sign the release. Each committer signs the variants of the release he/she verified and tested to work well. (There is a tgz and a zip release, exactly like ours, one meant for *nix, the other for Windows). Having many committers sign each release reduces the dependency on every single one of them, but also allows others to join in and maybe have some of the older contributors flow out. Due to the fact that the core stays the same from one release to another, the signatures are still very well recognizable as "the official Subversion release with its regular signatures". I'm interested in your opinions (and how this might work with Maven). Do you think this approach would help to lift work off my shoulders? Do you think it's a good idea to make the signatures "mean" anything? Do you think our group of contributors is large enough to start collecting multiple signatures at all? By the way, I think it's really great that we're actually having this discussion. To me it says something about the maturity of the ABCL project and the attitude of the committers in its community: we're a group dedicated to setting steps in the direction of delivering mature software with solid processes to ensure that our users are getting the quality they deserve. Bye, Erik.'
On Thu, Feb 10, 2011 at 9:46 PM, Erik Huelsmann <ehuels@gmail.com> wrote:
Morale: this is not terribly complicated, and it would make ABCL available through another distribution channel. OTOH, I can't hide the fact that - besides my own personal convenience for my shared project - probably no-one is using ABCL in Maven projects right now, and having ABCL released through Maven would complicate its release process, not much for technical reasons but for organizational ones (e.g. who keeps ABCL's GPG key? How is it managed?).
Currently Erik maintains the GPG key we currently use for signing. Does anyone have a model by which we could somehow share it? It might be nice to start "rotating" the responsibility for the releases among the four core committers to help take some work off of Erik's plate.
Yes. The key I use for signing as really my own though: I use it to sign all packages I put up for distribution: usocket (when I last did), cl-irc, ABCL, Subversion, py-configparser and maybe others.
Within the Subversion project we had a discussion about having a project key or not. We considered that a project key would have to be passed from one to another person, increasing chances of the key getting compromised. Also, the process with a single key means single point of failure.
What we considered back then - and are still doing today - is that as many committers as possible sign the release. Each committer signs the variants of the release he/she verified and tested to work well. (There is a tgz and a zip release, exactly like ours, one meant for *nix, the other for Windows).
Having many committers sign each release reduces the dependency on every single one of them, but also allows others to join in and maybe have some of the older contributors flow out. Due to the fact that the core stays the same from one release to another, the signatures are still very well recognizable as "the official Subversion release with its regular signatures".
I'm interested in your opinions (and how this might work with Maven). Do you think this approach would help to lift work off my shoulders? Do you think it's a good idea to make the signatures "mean" anything? Do you think our group of contributors is large enough to start collecting multiple signatures at all?
This seems a sensible approach and the fact it's used by important projects like Subversion means it's valid in practice. I just feared that introducing a gpg key would complicate things, but since our releases are already signed, that's not an additional burden. Not having a project-wide key but using personal ones means more flexibility and more security too (a single shared key has more risk of being compromised). Maven itself doesn't do anything special with the signed files; it's just Sonatype and Maven Central that require signatures, for security reasons. However, if several people sign the distributed files, each person will have to maven-deploy only the files they signed. I.e. signing and publishing are a single, atomic step (if you use Maven; everything Maven does can be done with other means of course. In the end it's just a bunch http PUTs. But doing it with Maven is certainly much simpler).
By the way, I think it's really great that we're actually having this discussion. To me it says something about the maturity of the ABCL project and the attitude of the committers in its community: we're a group dedicated to setting steps in the direction of delivering mature software with solid processes to ensure that our users are getting the quality they deserve.
I agree. But it's not as fun as talking about critical bugs :D Cheers Alessio
participants (2)
-
Alessio Stalla -
Erik Huelsmann