[Release-testers] [llvm-dev] Automating the releases a bit better.
Tobias Hieta via Release-testers
release-testers at lists.llvm.org
Mon Apr 26 23:20:22 PDT 2021
Going to ping this again. To me there seems to be a short term fix
(reducing the overhead for the release manager) and the longer term
fix where we have a CI building the releases.
For the short-term it seems like the easiest solution is that we
switch from uploading to SFTP and just upload to github releases
The trade-offs against the current solution are:
* No signatures from one person
* All committers can upload and overwrite a release, note: this is
already possible since anyone can overwrite Tom's uploads already.
Are we ok with these trade-offs? In that case I think we should use
this for the LLVM 13 release.
I am also interested in seeing if we want to have "official" builds
from a CI (github actions?) where the testers would help make the
sysroots instead as David suggested in his email above. Is this
something we should pursue?
On Fri, Apr 23, 2021 at 4:29 PM Tobias Hieta <tobias at plexapp.com> wrote:
> On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev
> <llvm-dev at lists.llvm.org> wrote:
> > The easiest option would be to have testers upload binaries directly to the
> > GitHub release page. Is this really any worse from a security perspective
> > than what we are doing now?
> > The main difference is that anyone with commit access can upload releases
> > to GitHub whereas with the current sftp uploads, we have to explicitly
> > grant people access.
> Hello Tom,
> I didn't really consider this option since it ends up with the
> releases not being signed by you / LLVM.org and that more people had
> access to upload binaries there. But this is of course an option and
> is pretty easy for everyone involved.
> -- Tobias
More information about the Release-testers