On 01/04/2013 04:35 AM, Glyn Normington
wrote:
Hi Folks,
Until recently, (ECF) has been signing our plugins by
'pushing' our
plugins to eclipse.org (built on our own
builder machine...which is
*not* running at eclipse.org).
Apparently this is not the appropriate
way now...rather what Denis indicated was appropriate was to
have an
eclipse.org machine 'pull' our
unsigned plugins, sign them, and then put
the signed versions somewhere.
I assume that other projects do some/all of their build on
non-eclipse
systems...and need to do this as well. Are there ant
scripts and/or
documentation on this 'pull' approach for signing?
I'm puzzled by the idea of a machine at eclipse.org
pulling from a build machine running, for example, behind a
corporate firewall. Maybe someone could clarify what Denis might
have been meaning.
If the remote build machine is behind a corporate firewall, it is
not accessible anonymously by everyone on the planet and is being
actively maintained by IT staff, then that gets my two thumbs up.
By all means, put your committer ID's private key there and push all
you want.
On the other hand, if your remote build machine is running a
publicly web-accessible CI system with an open-to-the-world SSH
port, I don't feel that the private key to your shell-enabled
eclipse.org account is in a safe location. This is consistent with
my position regarding committer private keys on our own publicly
web-accessible Hudson instance.
If committers really feel that the our CI system should have the
ability to push commits to Git and push builds to the downloads area
via a committer's account (and I agree, this would be immensely
convenient), then we could perhaps consider closing
hudson.eclipse.org to the anonymous users, thus requiring a
committer account and authentication to access Hudson?
Denis
fyi Virgo milestones and releases are built on non-eclipse
systems. Virgo's signing scripts, which are using the "push"
model, were added recently in this commit:
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
|