[llvm-dev] Automating the releases a bit better.

Tom Stellard via llvm-dev llvm-dev at lists.llvm.org
Sat Jan 8 00:31:04 PST 2022

On 4/26/21 23:20, Tobias Hieta wrote:
> Hello,

Restarting this dicussion.

> Going to ping this again. To me there seems to be a short term fix
> (reducing the overhead for the release manager) and the longer term
> fix where we have a CI building the releases.
> For the short-term it seems like the easiest solution is that we
> switch from uploading to SFTP and just upload to github releases
> directly.

I would like to propose a variation of this idea:

I think we should have testers upload directly to GitHub, but keep the
rest of the process the same as now.  So testers will still email me a
sha512 hash of the binaries they upload, and I'll still sign the binaries.

This means there will be a period of time where we have unsigned binaries on
the release page, but I think this is OK.  People who care about the signatures
can just wait until I sign the packages, and people who don't care about the
signatures will get there builds faster.

For some added validation, we can create a release-testers team and automatically
delete any uploads from anyone not on that team.

- Tom

> The trade-offs against the current solution are:
> * No signatures from one person
> * All committers can upload and overwrite a release, note: this is
> already possible since anyone can overwrite Tom's uploads already.
> Are we ok with these trade-offs? In that case I think we should use
> this for the LLVM 13 release.
> I am also interested in seeing if we want to have "official" builds
> from a CI (github actions?) where the testers would help make the
> sysroots instead as David suggested in his email above. Is this
> something we should pursue?
> Thanks,
> Tobias
> On Fri, Apr 23, 2021 at 4:29 PM Tobias Hieta <tobias at plexapp.com> wrote:
>> On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev
>> <llvm-dev at lists.llvm.org> wrote:
>>> The easiest option would be to have testers upload binaries directly to the
>>> GitHub release page.  Is this really any worse from a security perspective
>>> than what we are doing now?
>>> The main difference is that anyone with commit access can upload releases
>>> to GitHub whereas with the current sftp uploads, we have to explicitly
>>> grant people access.
>> Hello Tom,
>> I didn't really consider this option since it ends up with the
>> releases not being signed by you / LLVM.org and that more people had
>> access to upload binaries there. But this is of course an option and
>> is pretty easy for everyone involved.
>> -- Tobias

More information about the llvm-dev mailing list