Here is an introduction to the ATR's data model.
The view here is descriptive of a JSON model, but the implementation will be a combination of filesystem files and subdirs along with a database schema.
Projects are run by a PMC with members and committers, have metadata, vote policy settings, and product lines.
- Key
- Project Name
- Product Lines
- User role lists:
- PMC Members
- Committers
- Release Managers
- Public Signing Keys
- Vote Policy
One or more product lines with separate releases including the main one. A product line may override PMC vote policy.
- Key
- PMC
- Product Name
- Latest Version
- Distribution Channels
- Vote Policy
- Release lists:
- Candidates
- Current
- Archived
Public Signing Keys are stored using the User ID of the owner as the key.
- User
- Public Signing Key
- Type
- Expiration
These are a set of choices which control how a release vote is conducted by the ATR.
- Mailto Addresses for Emails - defaults to the project dev list, but the PMC can change these and add contacts. This will be helpful in getting dependent projects to check releases early.
- Manual Vote Process flag - if this is set then the vote will be completely manual and following policy is ignored.
- Minimum Number of Hours - the minimum time to run the vote. If set to
0then wait until 3 +1 votes and more +1 than -1. - Release Checklist - markdown text describing how to test release candidates.
- Pause for RM check if any -1 votes flag - normally when the vote passes we proceed to the next steps, but we should allow the RM a chance to confirm if a -1 vote should stop the release.
Releases are related groups of packages. Candidate releases go through stages and these have phases. When approved to be released the stage is moved to current. Current releases have initial phases to distribute and announce the release.
- Storage key
- Stage
- Phase
- PMC
- Product Line
- Package Managers
- Version
- Packages - List of triples of file, signature, and checksum that are the downloadable components of a release.
Should we use Artifacts instead of Packages?
- SBOMs - in an acceptable SBOM format and maintained in Phases using standard Python libraries.
- Vote Policy
- Votes
- Pass or Fail
- Summary
- Binding votes
- Community votes
- Start
- End
Distribution channels are where PMCs distribute release packages. These need to be defined in the ATR. Distribution channels may be for test packages. Package Managers will be automated over time.
- Name
- Key
- URL
- Credentials
- Is Test?
- Automation endpoint
Multiple roles are possible and available actions are composed. Empty cells denote "no".
| Activity | PMC Member | Release Manager | Committer | Visitor | ASF Member | SysAdmin |
|---|---|---|---|---|---|---|
| binding vote | yes | |||||
| vote | yes | yes | yes | yes | yes | |
| release admin | yes | yes | yes | |||
| project admin | yes | yes | ||||
| product admin | yes | yes | ||||
| manage key | yes | yes | ||||
| run phase | yes | yes | yes | |||
| channel admin | yes | |||||
| view release events | yes | yes | yes | yes | yes | yes |
| view project events | yes | yes | yes | yes | yes | yes |
| search all events | yes | yes |
To vote visitors must provide PII and we need to explain how we are protecting their privacy.
The authorization and authentication for
GitHub PATswill be specific and fine-grained, but should be similar to a "release manager"