Re: [jakarta.ee-spec.committee] [jakartaee-spec-project-leads] TCK file

[Bill Shannon <bill.shannon@xxxxxxxxxx>]

David Blevins wrote on 8/16/19 10:08 PM:
> Behold the awesomeness of our glorious new binary signing and promotion setup:
> 
>  - https://github.com/jakartaee/specification-tools/tree/master/promotion

In the description of the parameters, "scrubbed" means "validated", and the
job fails if the validation fails, right?  "Scrubbed" sounds more like you
clean it up and keep going.

The regex for the version could be "[1-9][0-9]*(\.[0-9]+)?" if you want to
be more precise.  (Yes, that's probably excessive.  :-))

If the key is ever "rotated", would you expect to re-sign all the existing
artifacts?  Should there be a job to do that?

> Sample run:
> 
>  - https://download.eclipse.org/jakartaee/wombat/2.0/

My browser thinks the *.sha256 files are zip files.  Does something need
to be done on the server to make sure they're advertised as text/plain files?

I'm not a PGP expert but the signatures seem a bit weird.  It looks like the
data is base64 encoded, yet the last line of the data *start* with "=".
Usually base64 data will use "=" at the end to pad out the data.  Is there
some different use of "=" in PGP signatures?

Should the signatures of two files with identical SHA-256 hash codes also
be identical?  Or do the signatures incorporate some time or random element?

>  - https://ci.eclipse.org/jakartaee-spec-committee/job/promote-release/31/artifact/wombat-2.0.html

I get a 404 when trying to access this page.  Looks like that job has
rolled off the bottom of the list of saved jobs.  I was able to look
at a newer job however and it looks fine.

> For some reason the lovely CSS on the html page doesn't render.  Not really important, that page is just for an audit trail.

If these are an audit trail they should be saved somewhere else more permanent.
And it would be nice if they recorded who started the job.