[llvm-dev] Automating the releases a bit better.

David Chisnall via llvm-dev llvm-dev at lists.llvm.org
Tue Apr 27 00:58:50 PDT 2021 

 From a security perspective, I don't see that using GitHub Releases is 
worse than the current process.  I believe GitHub records which account 
has uploaded the release binaries, so there is an audit trail in case of 
tampering, which is the most that we can claim with the current process.

David


On 27/04/2021 07:20, Tobias Hieta via llvm-dev wrote:
> Hello,
> 
> Going to ping this again. To me there seems to be a short term fix
> (reducing the overhead for the release manager) and the longer term
> fix where we have a CI building the releases.
> 
> For the short-term it seems like the easiest solution is that we
> switch from uploading to SFTP and just upload to github releases
> directly.
> 
> The trade-offs against the current solution are:
> * No signatures from one person
> * All committers can upload and overwrite a release, note: this is
> already possible since anyone can overwrite Tom's uploads already.
> 
> Are we ok with these trade-offs? In that case I think we should use
> this for the LLVM 13 release.
> 
> I am also interested in seeing if we want to have "official" builds
> from a CI (github actions?) where the testers would help make the
> sysroots instead as David suggested in his email above. Is this
> something we should pursue?
> 
> Thanks,
> Tobias
> 
> On Fri, Apr 23, 2021 at 4:29 PM Tobias Hieta <tobias at plexapp.com> wrote:
>>
>> On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev
>> <llvm-dev at lists.llvm.org> wrote:
>>>
>>> The easiest option would be to have testers upload binaries directly to the
>>> GitHub release page.  Is this really any worse from a security perspective
>>> than what we are doing now?
>>>
>>> The main difference is that anyone with commit access can upload releases
>>> to GitHub whereas with the current sftp uploads, we have to explicitly
>>> grant people access.
>>>
>>
>> Hello Tom,
>>
>> I didn't really consider this option since it ends up with the
>> releases not being signed by you / LLVM.org and that more people had
>> access to upload binaries there. But this is of course an option and
>> is pretty easy for everyone involved.
>>
>> -- Tobias
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>

More information about the llvm-dev mailing list