Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow any release manager to build any release stream #111

Open
sethmlarson opened this issue Apr 9, 2024 · 0 comments
Open

Allow any release manager to build any release stream #111

sethmlarson opened this issue Apr 9, 2024 · 0 comments

Comments

@sethmlarson
Copy link
Collaborator

sethmlarson commented Apr 9, 2024
edited
Loading

Python security releases usually require all Python release managers to be available due to each release stream being assigned to a specific release manager. This happens in multiple locations:

  • Documentation and schedule
  • GPG identities for artifacts
  • Sigstore identity of all artifacts
  • Windows and macOS artifacts built and signed by Experts

This makes security releases especially difficult to coordinate.

There's already history for release managers "filling in" for one another and fixing up things after the release is out (for example, 3.10.14 being done originally by @ambv and then resigned by @pablogsal later).

Making the release process not depend on specific release managers means releases are less of a burden on RMs while also setting solid long-term expectations for release artifact users.

Where are the friction points?

Where in the current process are the friction points around any release manager making a release?

Human identities

  • Human identities for signing (Sigstore and GPG).
  • Identities of all release managers need to be trusted due to it not being known which release manager would be signing the artifacts ahead of time.
  • Difficult to automate without injecting directly into the build process. Somewhat trivializes the "human" identity.
  • Sigstore doesn't offer an ergonomic solution to verify a human-identity signature against a list of trusted identities.
  • For GPG, it seems that most folks import all trusted keys before verifying but some folks are pinning the identity of the release manager per release stream (ref, ref)

If this changes, documentation and user expectations will need to change. Would require a gradual phase-out and an announcement.

Builds are not all automated

  • Windows is completely automated in Azure Pipelines, uses Steve's GPG key regardless of who kicks off the build.
  • Source and docs builds are partially automated, plan is to automate further to be similar to Windows.
  • macOS builds aren't automated yet, uses Ned's GPG key. Likely will use GitHub Actions for automation?

This doesn't require any user-facing documentation changes or announcements.

Potential changes

Here are a list of proposed changes towards solving the above problems. Not all of these changes need to be accepted to achieve the above outcome.

  • Continue offering Sigstore and GPG human identities for existing Python release streams.
  • Move towards Sigstore being the recommended integrity mechanism for CPython artifacts in GitHub Actions. Moving away from human identities to machine/workflow identities for Sigstore solves the human identity problems.
  • Decide a cut-off point (3.14?) to stop offering human identity Sigstore identities.
  • Deprecate GPG signatures for future releases? Shared GPG key for release manager team? Open to other suggestions.

Further automating GitHub Actions builds is captured in #108
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sethmlarson