You are viewing a plain text version of this content. The canonical link for it is here.
Posted to security-discuss@community.apache.org by tison <wa...@gmail.com> on 2023/07/03 11:01:34 UTC
Re: [REQUEST] Grant permission to deploy Maven project via GitHub Actions
Update mailing list. Or if I should start a new thread totally?
Best,
tison.
tison <wa...@gmail.com> 于2023年7月3日周一 19:00写道:
> Hi Daniel,
>
> Thanks for your information! That can be an alternative for the signing
> key.
>
> Right now the blocker I met is 403 from the Nexus server which I suspect
> is the lack of permissions from the Nexus credentials. Could you confirm or
> correct it?
>
> Best,
> tison.
>
>
> tison <wa...@gmail.com> 于2023年7月3日周一 18:58写道:
>
>> Hi PJ,
>>
>> Thanks for sharing your thoughts!
>>
>> For signing key, it's a resolved topic from my perspective. I use -
>>
>> 1. A signing key commented with OPENDAL CODE AUTO SIGNING KEY[1]
>> 2. Load the key from our 1password service, while since it's a specific
>> key, I feel comfortable to pass it to INFRA member and configure as a
>> secret alternatively.
>>
>> Best,
>> tison.
>>
>> [1] https://dist.apache.org/repos/dist/release/incubator/opendal/KEYS
>>
>>
>> PJ Fanning <fa...@apache.org> 于2023年7月3日周一 18:52写道:
>>
>>> Adding the Incubator general list.
>>>
>>> My view would be that non-snapshot binary artifacts should be signed
>>> with a personal signing key - ideally the signing key that was used to
>>> release the related source release. Unfortunately, this would mean
>>> adding a user's signing key to the Apache GitHub account as a secret
>>> so that the automated GitHub Action job could access it. I don't see
>>> how we could allow personal signing keys to be added like this.
>>>
>>> On Mon, 3 Jul 2023 at 10:18, tison <wa...@gmail.com> wrote:
>>> >
>>> > cc security
>>> >
>>> > Missed in the first place.
>>> >
>>> > Best,
>>> > tison.
>>> >
>>> >
>>> > tison <wa...@gmail.com> 于2023年6月29日周四 22:21写道:
>>> >>
>>> >> Hi security team members,
>>> >>
>>> >> I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding.
>>> >>
>>> >> I already verify that GitHub Actions work well for automatically
>>> deploying OpenDAL Java binding[2].
>>> >>
>>> >> When integrating it with upstream (apache/incuabtor-opendal), I met a
>>> problem that deploying Maven projects requires NEXUS credentials. For my
>>> personal repo, I can config my Apache ID and password as secrets. For
>>> apache repos, it requires handing over the credentials to INFRA team
>>> member. Even I can trust the member, it's a bit less than awesome.
>>> >>
>>> >> Fortunately, INFRA provides two org-wise secrets NEXUS_USER and
>>> NEXUS_PW for doing so[3]. But it's limited to deploying snapshots only.
>>> INFRA member suggested me to consult security team for approval for such
>>> automatic deployment and they would help to grant related permissions if
>>> approved.
>>> >>
>>> >> Please help review the request to support ASF projects deploying
>>> Maven project via GitHub Actions.
>>> >>
>>> >> Best,
>>> >> tison.
>>> >>
>>> >> [1] http://github.com/apache/incubator-opendal
>>> >> [2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752
>>> >> [3]
>>> https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192
>>> >>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>>> For additional commands, e-mail: general-help@incubator.apache.org
>>>
>>>
Re: [REQUEST] Grant permission to deploy Maven project via GitHub Actions
Posted by PJ Fanning <fa...@gmail.com>.
One of my Pekko colleagues found that this process is documented. I
wasn't aware that this approach has been approved as long as the
security team signs off.
https://infra.apache.org/release-signing.html#automated-release-signing
On Mon, 3 Jul 2023 at 12:04, tison <wa...@gmail.com> wrote:
>
> Update mailing list. Or if I should start a new thread totally?
>
> Best,
> tison.
>
>
> tison <wa...@gmail.com> 于2023年7月3日周一 19:00写道:
>
> > Hi Daniel,
> >
> > Thanks for your information! That can be an alternative for the signing
> > key.
> >
> > Right now the blocker I met is 403 from the Nexus server which I suspect
> > is the lack of permissions from the Nexus credentials. Could you confirm or
> > correct it?
> >
> > Best,
> > tison.
> >
> >
> > tison <wa...@gmail.com> 于2023年7月3日周一 18:58写道:
> >
> >> Hi PJ,
> >>
> >> Thanks for sharing your thoughts!
> >>
> >> For signing key, it's a resolved topic from my perspective. I use -
> >>
> >> 1. A signing key commented with OPENDAL CODE AUTO SIGNING KEY[1]
> >> 2. Load the key from our 1password service, while since it's a specific
> >> key, I feel comfortable to pass it to INFRA member and configure as a
> >> secret alternatively.
> >>
> >> Best,
> >> tison.
> >>
> >> [1] https://dist.apache.org/repos/dist/release/incubator/opendal/KEYS
> >>
> >>
> >> PJ Fanning <fa...@apache.org> 于2023年7月3日周一 18:52写道:
> >>
> >>> Adding the Incubator general list.
> >>>
> >>> My view would be that non-snapshot binary artifacts should be signed
> >>> with a personal signing key - ideally the signing key that was used to
> >>> release the related source release. Unfortunately, this would mean
> >>> adding a user's signing key to the Apache GitHub account as a secret
> >>> so that the automated GitHub Action job could access it. I don't see
> >>> how we could allow personal signing keys to be added like this.
> >>>
> >>> On Mon, 3 Jul 2023 at 10:18, tison <wa...@gmail.com> wrote:
> >>> >
> >>> > cc security
> >>> >
> >>> > Missed in the first place.
> >>> >
> >>> > Best,
> >>> > tison.
> >>> >
> >>> >
> >>> > tison <wa...@gmail.com> 于2023年6月29日周四 22:21写道:
> >>> >>
> >>> >> Hi security team members,
> >>> >>
> >>> >> I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding.
> >>> >>
> >>> >> I already verify that GitHub Actions work well for automatically
> >>> deploying OpenDAL Java binding[2].
> >>> >>
> >>> >> When integrating it with upstream (apache/incuabtor-opendal), I met a
> >>> problem that deploying Maven projects requires NEXUS credentials. For my
> >>> personal repo, I can config my Apache ID and password as secrets. For
> >>> apache repos, it requires handing over the credentials to INFRA team
> >>> member. Even I can trust the member, it's a bit less than awesome.
> >>> >>
> >>> >> Fortunately, INFRA provides two org-wise secrets NEXUS_USER and
> >>> NEXUS_PW for doing so[3]. But it's limited to deploying snapshots only.
> >>> INFRA member suggested me to consult security team for approval for such
> >>> automatic deployment and they would help to grant related permissions if
> >>> approved.
> >>> >>
> >>> >> Please help review the request to support ASF projects deploying
> >>> Maven project via GitHub Actions.
> >>> >>
> >>> >> Best,
> >>> >> tison.
> >>> >>
> >>> >> [1] http://github.com/apache/incubator-opendal
> >>> >> [2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752
> >>> >> [3]
> >>> https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192
> >>> >>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> >>> For additional commands, e-mail: general-help@incubator.apache.org
> >>>
> >>>
Re: [REQUEST] Grant permission to deploy Maven project via GitHub Actions
Posted by PJ Fanning <fa...@gmail.com>.
One of my Pekko colleagues found that this process is documented. I
wasn't aware that this approach has been approved as long as the
security team signs off.
https://infra.apache.org/release-signing.html#automated-release-signing
On Mon, 3 Jul 2023 at 12:04, tison <wa...@gmail.com> wrote:
>
> Update mailing list. Or if I should start a new thread totally?
>
> Best,
> tison.
>
>
> tison <wa...@gmail.com> 于2023年7月3日周一 19:00写道:
>
> > Hi Daniel,
> >
> > Thanks for your information! That can be an alternative for the signing
> > key.
> >
> > Right now the blocker I met is 403 from the Nexus server which I suspect
> > is the lack of permissions from the Nexus credentials. Could you confirm or
> > correct it?
> >
> > Best,
> > tison.
> >
> >
> > tison <wa...@gmail.com> 于2023年7月3日周一 18:58写道:
> >
> >> Hi PJ,
> >>
> >> Thanks for sharing your thoughts!
> >>
> >> For signing key, it's a resolved topic from my perspective. I use -
> >>
> >> 1. A signing key commented with OPENDAL CODE AUTO SIGNING KEY[1]
> >> 2. Load the key from our 1password service, while since it's a specific
> >> key, I feel comfortable to pass it to INFRA member and configure as a
> >> secret alternatively.
> >>
> >> Best,
> >> tison.
> >>
> >> [1] https://dist.apache.org/repos/dist/release/incubator/opendal/KEYS
> >>
> >>
> >> PJ Fanning <fa...@apache.org> 于2023年7月3日周一 18:52写道:
> >>
> >>> Adding the Incubator general list.
> >>>
> >>> My view would be that non-snapshot binary artifacts should be signed
> >>> with a personal signing key - ideally the signing key that was used to
> >>> release the related source release. Unfortunately, this would mean
> >>> adding a user's signing key to the Apache GitHub account as a secret
> >>> so that the automated GitHub Action job could access it. I don't see
> >>> how we could allow personal signing keys to be added like this.
> >>>
> >>> On Mon, 3 Jul 2023 at 10:18, tison <wa...@gmail.com> wrote:
> >>> >
> >>> > cc security
> >>> >
> >>> > Missed in the first place.
> >>> >
> >>> > Best,
> >>> > tison.
> >>> >
> >>> >
> >>> > tison <wa...@gmail.com> 于2023年6月29日周四 22:21写道:
> >>> >>
> >>> >> Hi security team members,
> >>> >>
> >>> >> I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding.
> >>> >>
> >>> >> I already verify that GitHub Actions work well for automatically
> >>> deploying OpenDAL Java binding[2].
> >>> >>
> >>> >> When integrating it with upstream (apache/incuabtor-opendal), I met a
> >>> problem that deploying Maven projects requires NEXUS credentials. For my
> >>> personal repo, I can config my Apache ID and password as secrets. For
> >>> apache repos, it requires handing over the credentials to INFRA team
> >>> member. Even I can trust the member, it's a bit less than awesome.
> >>> >>
> >>> >> Fortunately, INFRA provides two org-wise secrets NEXUS_USER and
> >>> NEXUS_PW for doing so[3]. But it's limited to deploying snapshots only.
> >>> INFRA member suggested me to consult security team for approval for such
> >>> automatic deployment and they would help to grant related permissions if
> >>> approved.
> >>> >>
> >>> >> Please help review the request to support ASF projects deploying
> >>> Maven project via GitHub Actions.
> >>> >>
> >>> >> Best,
> >>> >> tison.
> >>> >>
> >>> >> [1] http://github.com/apache/incubator-opendal
> >>> >> [2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752
> >>> >> [3]
> >>> https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192
> >>> >>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> >>> For additional commands, e-mail: general-help@incubator.apache.org
> >>>
> >>>
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscribe@community.apache.org
For additional commands, e-mail: security-discuss-help@community.apache.org
Re: [REQUEST] Grant permission to deploy Maven project via GitHub Actions
Posted by PJ Fanning <fa...@gmail.com>.
One of my Pekko colleagues found that this process is documented. I
wasn't aware that this approach has been approved as long as the
security team signs off.
https://infra.apache.org/release-signing.html#automated-release-signing
On Mon, 3 Jul 2023 at 12:04, tison <wa...@gmail.com> wrote:
>
> Update mailing list. Or if I should start a new thread totally?
>
> Best,
> tison.
>
>
> tison <wa...@gmail.com> 于2023年7月3日周一 19:00写道:
>
> > Hi Daniel,
> >
> > Thanks for your information! That can be an alternative for the signing
> > key.
> >
> > Right now the blocker I met is 403 from the Nexus server which I suspect
> > is the lack of permissions from the Nexus credentials. Could you confirm or
> > correct it?
> >
> > Best,
> > tison.
> >
> >
> > tison <wa...@gmail.com> 于2023年7月3日周一 18:58写道:
> >
> >> Hi PJ,
> >>
> >> Thanks for sharing your thoughts!
> >>
> >> For signing key, it's a resolved topic from my perspective. I use -
> >>
> >> 1. A signing key commented with OPENDAL CODE AUTO SIGNING KEY[1]
> >> 2. Load the key from our 1password service, while since it's a specific
> >> key, I feel comfortable to pass it to INFRA member and configure as a
> >> secret alternatively.
> >>
> >> Best,
> >> tison.
> >>
> >> [1] https://dist.apache.org/repos/dist/release/incubator/opendal/KEYS
> >>
> >>
> >> PJ Fanning <fa...@apache.org> 于2023年7月3日周一 18:52写道:
> >>
> >>> Adding the Incubator general list.
> >>>
> >>> My view would be that non-snapshot binary artifacts should be signed
> >>> with a personal signing key - ideally the signing key that was used to
> >>> release the related source release. Unfortunately, this would mean
> >>> adding a user's signing key to the Apache GitHub account as a secret
> >>> so that the automated GitHub Action job could access it. I don't see
> >>> how we could allow personal signing keys to be added like this.
> >>>
> >>> On Mon, 3 Jul 2023 at 10:18, tison <wa...@gmail.com> wrote:
> >>> >
> >>> > cc security
> >>> >
> >>> > Missed in the first place.
> >>> >
> >>> > Best,
> >>> > tison.
> >>> >
> >>> >
> >>> > tison <wa...@gmail.com> 于2023年6月29日周四 22:21写道:
> >>> >>
> >>> >> Hi security team members,
> >>> >>
> >>> >> I'm tison from OpenDAL Podling[1], a Rust lib providing Java binding.
> >>> >>
> >>> >> I already verify that GitHub Actions work well for automatically
> >>> deploying OpenDAL Java binding[2].
> >>> >>
> >>> >> When integrating it with upstream (apache/incuabtor-opendal), I met a
> >>> problem that deploying Maven projects requires NEXUS credentials. For my
> >>> personal repo, I can config my Apache ID and password as secrets. For
> >>> apache repos, it requires handing over the credentials to INFRA team
> >>> member. Even I can trust the member, it's a bit less than awesome.
> >>> >>
> >>> >> Fortunately, INFRA provides two org-wise secrets NEXUS_USER and
> >>> NEXUS_PW for doing so[3]. But it's limited to deploying snapshots only.
> >>> INFRA member suggested me to consult security team for approval for such
> >>> automatic deployment and they would help to grant related permissions if
> >>> approved.
> >>> >>
> >>> >> Please help review the request to support ASF projects deploying
> >>> Maven project via GitHub Actions.
> >>> >>
> >>> >> Best,
> >>> >> tison.
> >>> >>
> >>> >> [1] http://github.com/apache/incubator-opendal
> >>> >> [2] https://github.com/tisonkun/ci-opendal/actions/runs/5326589752
> >>> >> [3]
> >>> https://github.com/apache/incubator-opendal/blob/f887b671c0aae523d8862762eec71e6179e0975c/.github/workflows/bindings_java.yml#L192
> >>> >>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> >>> For additional commands, e-mail: general-help@incubator.apache.org
> >>>
> >>>
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org