You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tinkerpop.apache.org by "Stephen Mallette (Jira)" <ji...@apache.org> on 2023/02/17 19:16:00 UTC

[jira] [Commented] (TINKERPOP-2860) Change release process to add binary verification for Python and .Net client

    [ https://issues.apache.org/jira/browse/TINKERPOP-2860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690544#comment-17690544 ] 

Stephen Mallette commented on TINKERPOP-2860:
---------------------------------------------

noted that nuget includes the commitid in the packaging so i guess that solves that one. you can see it here:

https://nuget.info/packages/Gremlin.Net/3.6.2

for python we could copy the .whl to the dev directory with the zips. on release day, you'd build the tag then copy those same exact files out to {{gremlin-python/target/dist/python-packaged/dist}} then do a {{mvn deploy}} which should ship the copied files. anyone who wanted to check that what was in the dev directory was the same as what's in pypi could get the hash and compare it.

honestly, the more i've dug into this, the less i feel this extra step is needed. binaries have a lower bar than the official source release that includes all the code of the entire repository. binaries are a convenience only. we dont vote on them. users won't take this extra step of confirmation for the sake of this hash. if anything they will only validate that pypi sent the right file not that we put the right one up there (note there is infrastructure in twine that helps do this). if we trust people to be a release manager then we trust them to checkout a tag and deploy the right things. 

> Change release process to add binary verification for Python and .Net client
> ----------------------------------------------------------------------------
>
>                 Key: TINKERPOP-2860
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2860
>             Project: TinkerPop
>          Issue Type: Bug
>          Components: build-release
>    Affects Versions: 3.5.5
>            Reporter: Divij Vaidya
>            Priority: Blocker
>
> The binaries that we release for python and .Net are not voted-on during the release process. 
> Hence, there is no way for a user to validate that the binary in PyPi or nuGet is actually generated from the code that was voted on by the PMC.
> We need to modify our change process to add a step where we could validate the integrity of the binary that will be added to PyPi or nuGet



--
This message was sent by Atlassian Jira
(v8.20.10#820010)