[armedbear-devel] Release signing (was Maven & ABCL)

Fri Feb 11 00:17:24 UTC 2011

On Thu, Feb 10, 2011 at 9:46 PM, Erik Huelsmann <ehuels at gmail.com> wrote:
>>> Morale: this is not terribly complicated, and it would make ABCL
>>> available through another distribution channel. OTOH, I can't hide the
>>> fact that - besides my own personal convenience for my shared project
>>> - probably no-one is using ABCL in Maven projects right now, and
>>> having ABCL released through Maven would complicate its release
>>> process, not much for technical reasons but for organizational ones
>>> (e.g. who keeps ABCL's GPG key? How is it managed?).
>>
>> Currently Erik maintains the GPG key we currently use for signing.  Does
>> anyone have a model by which we could somehow share it?   It might be
>> nice to start "rotating" the responsibility for the releases among the
>> four core committers to help take some work off of Erik's plate.
>
> Yes. The key I use for signing as really my own though: I use it to
> sign all packages I put up for distribution: usocket (when I last
> did), cl-irc, ABCL, Subversion, py-configparser and maybe others.
>
> Within the Subversion project we had a discussion about having a
> project key or not. We considered that a project key would have to be
> passed from one to another person, increasing chances of the key
> getting compromised. Also, the process with a single key means single
> point of failure.
>
> What we considered back then - and are still doing today - is that as
> many committers as possible sign the release. Each committer signs the
> variants of the release he/she verified and tested to work well.
> (There is a tgz and a zip release, exactly like ours, one meant for
> *nix, the other for Windows).
>
> Having many committers sign each release reduces the dependency on
> every single one of them, but also allows others to join in and maybe
> have some of the older contributors flow out. Due to the fact that the
> core stays the same from one release to another, the signatures are
> still very well recognizable as "the official Subversion release with
> its regular signatures".
>
> I'm interested in your opinions (and how this might work with Maven).
> Do you think this approach would help to lift work off my shoulders?
> Do you think it's a good idea to make the signatures "mean" anything?
> Do you think our group of contributors is large enough to start
> collecting multiple signatures at all?

This seems a sensible approach and the fact it's used by important
projects like Subversion means it's valid in practice. I just feared
that introducing a gpg key would complicate things, but since our
releases are already signed, that's not an additional burden. Not
having a project-wide key but using personal ones means more
flexibility and more security too (a single shared key has more risk
of being compromised). Maven itself doesn't do anything special with
the signed files; it's just Sonatype and Maven Central that require
signatures, for security reasons. However, if several people sign the
distributed files, each person will have to maven-deploy only the
files they signed. I.e. signing and publishing are a single, atomic
step (if you use Maven; everything Maven does can be done with other
means of course. In the end it's just a bunch http PUTs. But doing it
with Maven is certainly much simpler).

> By the way, I think it's really great that we're actually having this
> discussion. To me it says something about the maturity of the ABCL
> project and the attitude of the committers in its community: we're a
> group dedicated to setting steps in the direction of delivering mature
> software with solid processes to ensure that our users are getting the
> quality they deserve.

I agree. But it's not as fun as talking about critical bugs :D

Cheers
Alessio