latest 20 messages by amitprakash

+ [2016-12-05T15:08:07Z] amitprakash I'd rather this be automated via CI than users
+ [2016-12-05T15:07:50Z] amitprakash canton7, because developers (including myself) are stupid
+ [2016-12-05T15:05:30Z] amitprakash canton7, perfect, this works!
+ [2016-12-05T15:04:35Z] amitprakash Aight, sorry about that
+ [2016-12-05T15:03:25Z] amitprakash Verifying authenticity of tag implies the tag is from a particular author .. i.e. someuser@domain.com
+ [2016-12-05T15:02:14Z] amitprakash This is clearly not desired.. so two things we can do 1) restrict develoeprs from pushing tags - (which I don't see a way of doing) or 2) verify the authenticity of tag
+ [2016-12-05T15:01:42Z] amitprakash But any developer can push tags to a project, which means any one can trigger a release
+ [2016-12-05T15:01:19Z] amitprakash So lets say we trigger this on tags against the project.
+ [2016-12-05T15:00:51Z] amitprakash either you manually trigger this job, or you can trigger this on commits against particular branch or you can trigger this on tags against the project
+ [2016-12-05T15:00:11Z] amitprakash Okay, how do you know when to release new software to production?
+ [2016-12-05T14:59:46Z] amitprakash I want to find a way to ensure releases. This I want to be based on git (either via tags, branches etc) handled via CI..
+ [2016-12-05T14:58:46Z] amitprakash Yes, Verifying the authenticity would be a step in the CI/deployment process
+ [2016-12-05T14:57:54Z] amitprakash Prevent releases when other developers push tags to repo
+ [2016-12-05T14:56:44Z] amitprakash Since I can not restrict users from pushing their own tags, the next step was to verify the authenticity of tag, this I sought to handle by verifing the author/comitter against the tag
+ [2016-12-05T14:56:07Z] amitprakash canton7, So in my current CI process, any time a tag is pushed to the project, it is assumed to be a new release which the CI pushes to production
+ [2016-12-05T14:54:27Z] amitprakash Alternately, rethink the strategy from tags to a separate branch for releases to production
+ [2016-12-05T14:54:10Z] amitprakash But tag author can also be changed, so I am not sure how I can verify if a tag is genuine
+ [2016-12-05T14:53:47Z] amitprakash canton7, release to production on tag... however since I cant' restrict tags, verify that tags are genuine via tag author
+ [2016-12-05T14:52:03Z] amitprakash But that too can be faked