Tobias Hieta via llvm-dev
2021-Apr-23 14:29 UTC
[llvm-dev] Automating the releases a bit better.
On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev <llvm-dev at lists.llvm.org> wrote:> > The easiest option would be to have testers upload binaries directly to the > GitHub release page. Is this really any worse from a security perspective > than what we are doing now? > > The main difference is that anyone with commit access can upload releases > to GitHub whereas with the current sftp uploads, we have to explicitly > grant people access. >Hello Tom, I didn't really consider this option since it ends up with the releases not being signed by you / LLVM.org and that more people had access to upload binaries there. But this is of course an option and is pretty easy for everyone involved. -- Tobias
Tobias Hieta via llvm-dev
2021-Apr-27 06:20 UTC
[llvm-dev] Automating the releases a bit better.
Hello, Going to ping this again. To me there seems to be a short term fix (reducing the overhead for the release manager) and the longer term fix where we have a CI building the releases. For the short-term it seems like the easiest solution is that we switch from uploading to SFTP and just upload to github releases directly. The trade-offs against the current solution are: * No signatures from one person * All committers can upload and overwrite a release, note: this is already possible since anyone can overwrite Tom's uploads already. Are we ok with these trade-offs? In that case I think we should use this for the LLVM 13 release. I am also interested in seeing if we want to have "official" builds from a CI (github actions?) where the testers would help make the sysroots instead as David suggested in his email above. Is this something we should pursue? Thanks, Tobias On Fri, Apr 23, 2021 at 4:29 PM Tobias Hieta <tobias at plexapp.com> wrote:> > On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev > <llvm-dev at lists.llvm.org> wrote: > > > > The easiest option would be to have testers upload binaries directly to the > > GitHub release page. Is this really any worse from a security perspective > > than what we are doing now? > > > > The main difference is that anyone with commit access can upload releases > > to GitHub whereas with the current sftp uploads, we have to explicitly > > grant people access. > > > > Hello Tom, > > I didn't really consider this option since it ends up with the > releases not being signed by you / LLVM.org and that more people had > access to upload binaries there. But this is of course an option and > is pretty easy for everyone involved. > > -- Tobias