kou
commented
10 months ago The automated release signing guideline: https://infra.apache.org/release-signing.html#automated-release-signing
Open kou opened 1 year ago
kou
commented
10 months ago The automated release signing guideline: https://infra.apache.org/release-signing.html#automated-release-signing
kou
commented
10 months ago Can we use the default signing key for Debian/RPM Package Type repositories to release "official" artifacts? https://issues.apache.org/jira/browse/INFRA-25217
kou
commented
10 months ago Our build process must be reproducible build. It must be verified by the Apache Security Team.
We need to contact to security@apache.org what we need to do for it.
Describe the enhancement requested
Background
We're using a "General" type Artifactory repository to provide APT/Yum repositories. We generate metadata for APT/Yum repositories' by ourself. Recently, we sometimes get 403 Forbidden errors when we use APT repository in the "general" type Artifactory repository. See also #35292.
INFRA asked JFrog this. See also https://issues.apache.org/jira/browse/INFRA-24569 . JFrog recommended to migrate to a "Debian" type Artifactory repository. INFRA (not JFrog) also said that "Generic" type Artifactory repository isn't suitable for APT repository.
Compatibility
I already created https://apache.jfrog.io/ui/repos/tree/General/arrow-debian?projectKey=arrow and https://apache.jfrog.io/ui/repos/tree/General/arrow-rpm?projectKey=arrow repositories but I don't do anything yet.
If we use "Debian"/"RPM" type repositories instead of the current "General" type repository, users need to change their configuration. I want to avoid it as much as possible. We're providing
apache-arrow-apt-sourcepackage for APT repository andapache-arrow-releasepackage for Yum repository. I hope that we can implement a safe migration (users don't need to change anything. users just need to runapt update/dnf updateas usual.) by using them.See also
Component(s)
Packaging, Release