[Release-testers] [llvm-dev] Automating the releases a bit better.

Tobias Hieta via Release-testers release-testers at lists.llvm.org
Mon Apr 26 23:20:22 PDT 2021


Going to ping this again. To me there seems to be a short term fix
(reducing the overhead for the release manager) and the longer term
fix where we have a CI building the releases.

For the short-term it seems like the easiest solution is that we
switch from uploading to SFTP and just upload to github releases

The trade-offs against the current solution are:
* No signatures from one person
* All committers can upload and overwrite a release, note: this is
already possible since anyone can overwrite Tom's uploads already.

Are we ok with these trade-offs? In that case I think we should use
this for the LLVM 13 release.

I am also interested in seeing if we want to have "official" builds
from a CI (github actions?) where the testers would help make the
sysroots instead as David suggested in his email above. Is this
something we should pursue?


On Fri, Apr 23, 2021 at 4:29 PM Tobias Hieta <tobias at plexapp.com> wrote:
> On Thu, Apr 22, 2021 at 11:46 PM Tom Stellard via llvm-dev
> <llvm-dev at lists.llvm.org> wrote:
> >
> > The easiest option would be to have testers upload binaries directly to the
> > GitHub release page.  Is this really any worse from a security perspective
> > than what we are doing now?
> >
> > The main difference is that anyone with commit access can upload releases
> > to GitHub whereas with the current sftp uploads, we have to explicitly
> > grant people access.
> >
> Hello Tom,
> I didn't really consider this option since it ends up with the
> releases not being signed by you / LLVM.org and that more people had
> access to upload binaries there. But this is of course an option and
> is pretty easy for everyone involved.
> -- Tobias

More information about the Release-testers mailing list