Let Jenkins build releases?

[Jasha Joachimsthal <ja...@apache.org>]

Currently the person who executes the release process builds the release
artifacts on his own system. I wondered why we don't make the Maven release
from Jenkins. Jenkins has a plugin to perform Maven releases [1]. We no
longer depend on the environment settings of individual committers and our
"local" repository does not contain home brew artifacts from other
projects. Besides why would you do something manually if the machine can do
it for you ;)

[1] https://wiki.jenkins-ci.org/display/JENKINS/M2+Release+Plugin

Jasha

Re: Let Jenkins build releases?

[Jasha Joachimsthal <ja...@apache.org>]

On 3 November 2012 10:43, Ate Douma <at...@douma.nu> wrote:

> On 11/03/2012 10:29 AM, Ate Douma wrote:
>
>> Hi Jasha,
>>
>> On 11/02/2012 07:57 PM, Jasha Joachimsthal wrote:
>>
>>> Currently the person who executes the release process builds the release
>>> artifacts on his own system. I wondered why we don't make the Maven
>>> release
>>> from Jenkins. Jenkins has a plugin to perform Maven releases [1]. We no
>>> longer depend on the environment settings of individual committers and
>>> our
>>> "local" repository does not contain home brew artifacts from other
>>> projects. Besides why would you do something manually if the machine can
>>> do
>>> it for you ;)
>>>
>>> [1] https://wiki.jenkins-ci.org/**display/JENKINS/M2+Release+**Plugin<https://wiki.jenkins-ci.org/display/JENKINS/M2+Release+Plugin>
>>>
>>>
>> Nice idea :)
>>
>> As a start, I wouldn't technically trust Jenkins to do releases for us:
>> its just
>> broken itself way too often.
>>
>> More important though, I think we might have a problem with the formal
>> and legal
>> trust as well. The PMC, as representative for the ASF, is responsible for
>> a
>> (signed) release as provided by a release manager.
>> IANAL, but making Jenkins the release manager and have the artifacts 'auto
>> signed by a machine, probably doesn't provide the proper 'trust' from a
>> legal POV.
>>
>>  It just occurred to me the above might sound a bit weird if you just
> read my earlier feedback concerning the locally build and bundled wookie
> jar in the 0.17 binaries (see 0.17 release candidate DISCUSS thread).
>
> My response above primarily concerns the fact we *also* build the sources
> tarball during the same release step. And that artifact is the main concern
> from a legal release POV. If the Release Manager would build only the
> sources tarball locally, sign it personally, and let Jenkins (only) build
> the other artifacts, it *might* legally be fine for the ASF.
> Even then though, I doubt relying on Jenkins for this purpose is desirable.
> It also would require Apache Repository (Nexus) to accept *release*
> (target) deployments from a Jenkins (machine user) build. AFAIK it
> currently only allows this for SNAPSHOT deployments.
>

Doing it half by hand and half by a somewhat unreliable machine sounds like
a worse situation than it is now. We just need to pay more attention to the
manual process then.


>
> Ate
>
>
>
>>  Jasha
>>>
>>>
>>
>

Re: Let Jenkins build releases?

[Ate Douma <at...@douma.nu>]

On 11/03/2012 10:29 AM, Ate Douma wrote:
> Hi Jasha,
>
> On 11/02/2012 07:57 PM, Jasha Joachimsthal wrote:
>> Currently the person who executes the release process builds the release
>> artifacts on his own system. I wondered why we don't make the Maven release
>> from Jenkins. Jenkins has a plugin to perform Maven releases [1]. We no
>> longer depend on the environment settings of individual committers and our
>> "local" repository does not contain home brew artifacts from other
>> projects. Besides why would you do something manually if the machine can do
>> it for you ;)
>>
>> [1] https://wiki.jenkins-ci.org/display/JENKINS/M2+Release+Plugin
>>
>
> Nice idea :)
>
> As a start, I wouldn't technically trust Jenkins to do releases for us: its just
> broken itself way too often.
>
> More important though, I think we might have a problem with the formal and legal
> trust as well. The PMC, as representative for the ASF, is responsible for a
> (signed) release as provided by a release manager.
> IANAL, but making Jenkins the release manager and have the artifacts 'auto
> signed by a machine, probably doesn't provide the proper 'trust' from a legal POV.
>
It just occurred to me the above might sound a bit weird if you just read my 
earlier feedback concerning the locally build and bundled wookie jar in the 0.17 
binaries (see 0.17 release candidate DISCUSS thread).

My response above primarily concerns the fact we *also* build the sources 
tarball during the same release step. And that artifact is the main concern from 
a legal release POV. If the Release Manager would build only the sources tarball 
locally, sign it personally, and let Jenkins (only) build the other artifacts, 
it *might* legally be fine for the ASF.
Even then though, I doubt relying on Jenkins for this purpose is desirable.
It also would require Apache Repository (Nexus) to accept *release* (target) 
deployments from a Jenkins (machine user) build. AFAIK it currently only allows 
this for SNAPSHOT deployments.

Ate


>
>> Jasha
>>
>

Re: Let Jenkins build releases?

[Ate Douma <at...@douma.nu>]

Hi Jasha,

On 11/02/2012 07:57 PM, Jasha Joachimsthal wrote:
> Currently the person who executes the release process builds the release
> artifacts on his own system. I wondered why we don't make the Maven release
> from Jenkins. Jenkins has a plugin to perform Maven releases [1]. We no
> longer depend on the environment settings of individual committers and our
> "local" repository does not contain home brew artifacts from other
> projects. Besides why would you do something manually if the machine can do
> it for you ;)
>
> [1] https://wiki.jenkins-ci.org/display/JENKINS/M2+Release+Plugin
>

Nice idea :)

As a start, I wouldn't technically trust Jenkins to do releases for us: its just 
broken itself way too often.

More important though, I think we might have a problem with the formal and legal 
trust as well. The PMC, as representative for the ASF, is responsible for a 
(signed) release as provided by a release manager.
IANAL, but making Jenkins the release manager and have the artifacts 'auto 
signed by a machine, probably doesn't provide the proper 'trust' from a legal POV.


> Jasha
>