[llvm-dev] Automating the releases a bit better.
Neil Nelson via llvm-dev
llvm-dev at lists.llvm.org
Thu Apr 22 12:43:25 PDT 2021
No problem here.
Neil Nelson
On 4/22/21 4:08 AM, Tobias Hieta via llvm-dev wrote:
> Hello,
>
> Me and Tom was talking yesterday about a way to automate and reduce
> the manual work that goes into getting the release testers builds into
> github.
>
> Currently the release testers build the distribution, uploads it to
> the sftp and then sends a email with the SHA-256 to Tom. Tom then
> verifies the files against the sha, signs them with pgp and uploads
> them to github.
>
> This is a pretty labor intensive procedure and makes it so that
> release artifacts can lag quite a bit, depending on how much time Tom
> has available.
>
> I have two ideas on how to make this less annoying:
>
> * We could have the release testers upload a .sha256 file together
> with the distribution that contains a single line with the expected
> hash. We could then write a script that takes the sha, compares it and
> if it's correct signs it with the release key and uploads to github.
> This can either be automated to run on a cron schedule or something
> that Tom runs manually on his machine. The downside to this method is
> that we remove the separate channel for the sha256 transmission. So if
> someone would want to upload a malicious build he would "only" need to
> gain access to the sftp. I am not that worried about that at this
> moment, but something to consider.
>
> * The other more secure option is that the release testers actually
> sign the binaries with their own key. These key identities could be
> then be send async to Tom and now the script would check the signature
> against the list of known testers. This would solve any point of
> origin problems. But it would require a bit more on the release
> testers side. For my part I think it might be worth doing this, we
> could even write a script that could automate this on the testers side
> as well.
>
> I direct this question to the testers and the community at whole, what
> do you guys think about the extra work and the security tradeoffs
> here?
>
> Thanks,
> Tobias
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20210422/93d81a3f/attachment.html>
More information about the llvm-dev
mailing list