[llvm-dev] Automating the releases a bit better.

James Henderson via llvm-dev llvm-dev at lists.llvm.org
Tue Apr 27 00:51:27 PDT 2021 

I've got no particular stake in this myself, as I'm not involved in the
LLVM release process, and we make our own releases for our downstream
users. One thought I did have though was that we should be careful against
malicious actors potentially swapping out the official binaries with some
other executable (e.g. a virus or worse, a modified LLVM that inserts
viruses/flaws into people's code...). I'm not familiar enough with how the
setup works etc, so I can't comment on whether this is a real possibility
or can easily be prevented one way or another.

On Tue, 27 Apr 2021 at 07:20, Tobias Hieta via llvm-dev <
llvm-dev at lists.llvm.org> wrote:

> Hello,
>
> Going to ping this again. To me there seems to be a short term fix
> (reducing the overhead for the release manager) and the longer term
> fix where we have a CI building the releases.
>
> For the short-term it seems like the easiest solution is that we
> switch from uploading to SFTP and just upload to github releases
> directly.
>
> The trade-offs against the current solution are:
> * No signatures from one person
> * All committers can upload and overwrite a release, note: this is
> already possible since anyone can overwrite Tom's uploads already.
>
> Are we ok with these trade-offs? In that case I think we should use
> this for the LLVM 13 release.
>
> I am also interested in seeing if we want to have "official" builds
> from a CI (github actions?) where the testers would help make the
> sysroots instead as David suggested in his email above. Is this
> something we should pursue?
>
> Thanks,
> Tobias
>
> On Fri, Apr 23, 2021 at 4:29 PM Tobias Hieta <tobias at plexapp.com> wrote:
> >
> > On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev
> > <llvm-dev at lists.llvm.org> wrote:
> > >
> > > The easiest option would be to have testers upload binaries directly
> to the
> > > GitHub release page.  Is this really any worse from a security
> perspective
> > > than what we are doing now?
> > >
> > > The main difference is that anyone with commit access can upload
> releases
> > > to GitHub whereas with the current sftp uploads, we have to explicitly
> > > grant people access.
> > >
> >
> > Hello Tom,
> >
> > I didn't really consider this option since it ends up with the
> > releases not being signed by you / LLVM.org and that more people had
> > access to upload binaries there. But this is of course an option and
> > is pretty easy for everyone involved.
> >
> > -- Tobias
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20210427/35806b8d/attachment.html>

More information about the llvm-dev mailing list