[llvm-dev] Automating the releases a bit better.

Tobias Hieta via llvm-dev llvm-dev at lists.llvm.org
Mon Apr 26 23:20:22 PDT 2021


Hello,

Going to ping this again. To me there seems to be a short term fix
(reducing the overhead for the release manager) and the longer term
fix where we have a CI building the releases.

For the short-term it seems like the easiest solution is that we
switch from uploading to SFTP and just upload to github releases
directly.

The trade-offs against the current solution are:
* No signatures from one person
* All committers can upload and overwrite a release, note: this is
already possible since anyone can overwrite Tom's uploads already.

Are we ok with these trade-offs? In that case I think we should use
this for the LLVM 13 release.

I am also interested in seeing if we want to have "official" builds
from a CI (github actions?) where the testers would help make the
sysroots instead as David suggested in his email above. Is this
something we should pursue?

Thanks,
Tobias

On Fri, Apr 23, 2021 at 4:29 PM Tobias Hieta <tobias at plexapp.com> wrote:
>
> On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev
> <llvm-dev at lists.llvm.org> wrote:
> >
> > The easiest option would be to have testers upload binaries directly to the
> > GitHub release page.  Is this really any worse from a security perspective
> > than what we are doing now?
> >
> > The main difference is that anyone with commit access can upload releases
> > to GitHub whereas with the current sftp uploads, we have to explicitly
> > grant people access.
> >
>
> Hello Tom,
>
> I didn't really consider this option since it ends up with the
> releases not being signed by you / LLVM.org and that more people had
> access to upload binaries there. But this is of course an option and
> is pretty easy for everyone involved.
>
> -- Tobias


More information about the llvm-dev mailing list