Use the same GitHub account and GPG key for all XWiki Standard releases

tmortagne · August 13, 2025, 2:36pm

Hi devs,

I would like to get rid of the set up your identity and Clean up your identity XWiki Standard release steps, and for that we need to stop using personal GitHub account and GPG key to do those.

So the proposal would be to:

Always use the same GitHub account. We have two possibilities here:
a. reuse xwikici which is currently used by ci.xwiki.org
b. create a new dedicated account (which would have much more rights than what xwikici currently have, since it would need to be able to do commits and create releases)
Create a new GPG key for the releases and publish it

Pro:

reduce the time spent and complexity of releases
it’s a mandatory step to make automated releases possible, eventually

Cons:

we won’t know who did the release just from the GitHub history anymore

WDYT ?

I honestly don’t see much value in what we currently do, and it’s quite an annoying and error-prone step. We are already using a common SSH key, so why not go all the way.

So here is my +1 in general.

I have a preference for 1.b. (mainly because of the very different level of access), but I understand if others feel it’s overkill and prefer 1.a.

This proposal is open until at least all release managers have answered it.

surli · August 13, 2025, 2:40pm

+1 for 1.b and 2.

Thanks

mflorea · August 14, 2025, 6:27am

+1. I don’t have a strong preference between 1.a and 1.b

Thanks,
Marius

vmassol · August 14, 2025, 7:42am

+1 that it’s painful but I thought we wanted traceability in the signature/etc and thus has individual GPG keys. I’m not an expert on this topic of security, so I’m going to trust that there’s no negative effects of using a common key beyond the fact that we won’t be able to trace back a release to an individual by looking at the artifacts.

My preference is for 1b and 2 with a passphrase.

Thx

tmortagne · August 14, 2025, 7:56am

Sure, it won’t be an individual, but you can still trace it back to an organization (it’s not like it was not signed at all anymore). Of course, we can still easily know who did which release from https://dev.xwiki.org/xwiki/bin/view/Community/ReleasePlans, even if it’s less direct (but I doubt anyone ever tried to use the signature of an artifact to find out who did an XWiki release ).

tmortagne · August 14, 2025, 7:58am

I don’t see much value in that. If someone can access the release server, the GPG key will be the last of our concerns (even now), I’m afraid.