Create Release Process for NTIA Conformance Checker about ntia-conformance-checker HOT 28 CLOSED

There is an account a project (see Max' correction below) that is used for tools-python, but I don't think it was intended as an "official SPDX account". @maxhbr and @pombredanne have access to it. I am not sure whether it makes more sense to use this account and extend the list of people with access, or create a new one for various SPDX releases.

from ntia-conformance-checker.

@anthonyharrison - We don't have an email list specific to the tools or this project. We do have an email alias for security, but that probably wouldn't be appropriate for the PyPI registration.

@kestewart - How hard would it be to setup another email alias like the one suggested above?

If you can add multiple emails, there are 4 maintainers - we could add those.

from ntia-conformance-checker.

+1 on semantic versioning and any automation.

Not much of an opinion on hosting releases on GitHub - It would make the automation easier, but PyPI would make the releases more accessible.

from ntia-conformance-checker.

For this first, manual release, I propose doing a release here, on GitHub, in the so-called releases page. That's very easy.

@jspeed-meyers - Works for me

from ntia-conformance-checker.

@jspeed-meyers Happy to help getting this tool onto PyPi.

Here is an SPDX SBOM of the current release of the checker (created using sbom4python)

sbom4python --module ntia-conformance-checker --output ntia.spdx

Would be useful if this was included as part of the release process.

ntia.spdx.txt

from ntia-conformance-checker.

I don't know of an official SPDX account on PyPI.

@pombredanne, @nicoweidner, @licquia - any input on this?

from ntia-conformance-checker.

I don't know of an official SPDX account on PyPI.

I do not know of any technical LF account. For the tools python the individual accounts were granted permissions and they published the releases.

There is an account that is used for tools-python, ...

The tools-python on PyPI is a project, not an account.

from ntia-conformance-checker.

Thanks for the info @maxhbr @nicoweidner @goneall.

If there isn't a spdx account on Pyp, we will set up an account specifically for the ntia-conformance-checker

When setting up the metadata for PyPI, we should provide an email address for the project author(s) and maintainer(s). I was wondering if there is an email address e.g. [email protected] which can then be the single point of contact rather than an arbitrary developer account.

from ntia-conformance-checker.

@goneall - we do have an implementers mailing list for tools https://lists.spdx.org/g/spdx-implementers.

If folks want emails per tools, that should be possible to set up, but I'd like someone else to volunteer to be owner for them, so that I'm not having to deal with SPAM, etc.

from ntia-conformance-checker.

@goneall my only hesitation there is blasting those subscribed to the list with emails that aren't relevant to them.. I worry it may make them ignore the emails that come from humans trying to reach subscribers. Could we use the spdx-implementers owner email? [email protected]?

from ntia-conformance-checker.

I just tested the email and to goes to Kate - so as long as @kestewart is good with this, it sounds like a solution.

from ntia-conformance-checker.

@rnjudge, @goneall - I'd rather not be on point for forwarding information here, as my inbox is a disaster, and I'm likely to miss something. Rose, can I make you the owner of the mailing list (which kinda makes sense since you're running the implementers discussions)?

from ntia-conformance-checker.

@kestewart Yes, this makes sense for me to be the owner of the mailing list. I thought I already was which is why I suggested it :) I did receive an email from @goneall yesterday early evening... so maybe we both were listed as owners already?

from ntia-conformance-checker.

Given the helpful information above (thank you all), I think I'll put in a PR to use [email protected], and expect for @rnjudge to field any emails and send them to Gary and me should it be necessary. I expect no/low traffic.

from ntia-conformance-checker.

Good point on PyPI making releases more accessible. That works equally well for me. I just didn't want to obligate the project to also having dependencies on PyPI unless others thought it was worth it.

from ntia-conformance-checker.

@jspeed-meyers What do you think of spinning a manual release? I'm going to do an update to the SPDX online tools in the next couple of days and it would be great to include a released version of the conformance checker.

from ntia-conformance-checker.

@goneall, a manual release is fine by me! Do you want help? Do you want me to do it? Should we do it together?

I have a little experience with doing PyPI releases, but I have done one in a couple years.

from ntia-conformance-checker.

@jspeed-meyers - I'd appreciate the help. I'm more of a Java person and have not done a PyPI release. I'd be happy to help, but since I've no experience it may be faster if you produce the build - do let me know, however, if I can help out and take on any tasks.

from ntia-conformance-checker.

@goneall, I have a proposal. For this first, manual release, I propose doing a release here, on GitHub, in the so-called releases page. That's very easy.

And then, I'll work on creating a proper, automated release on PyPI next. Does that work for you?

from ntia-conformance-checker.

Manual release via GitHub releases done: https://github.com/spdx/ntia-conformance-checker/releases/tag/v0.1.0

@goneall, please let me know if this does the trick. I hope so! (And think so!)

But I'll keep this issue open until I actually put in a PR to do this in automated fashion. Here's one resource I'll probably use to do this.

from ntia-conformance-checker.

@anthonyharrison, indeed! That is very helpful. Thank you.

How would you like to proceed? Do you want me to start a PR (I could on Friday) and then ping you?

from ntia-conformance-checker.

@jspeed-meyers Yes a PR would be good. I will see if can start putting a pull request together. Is there an spdx account on pypi that can be used? Does @goneall know?

from ntia-conformance-checker.

@anthonyharrison, I don't know if there is an SPDX account on PyPI. But I like where you're going. It would be nice to use an account that is associated with SPDX so that it is not associated with our personal accounts.

We can wait for @goneall's response.

As a plan B: We could create a gmail account specific to this project and ensure only a small set of SPDX-affiliated maintainers have the credentials. We could then use that gmail to register a PyPI account and claim a PyPI namespace.

from ntia-conformance-checker.

@goneall - I'd suggest we use [email protected] then.

How does that sound?

cc @anthonyharrison

from ntia-conformance-checker.

@rnjudge - what do you think about using the [email protected] as the contact for the Python PyPI account?

from ntia-conformance-checker.

Could we use the spdx-implementers owner email? [email protected]?

Good call. We'll use [email protected] unless someone objects then. Thank you, @rnjudge and @goneall.

And for associating a PyPI package with one or more PyPI maintainers: I'll plan on tying the project to a single new gmail address and I'll share the credentials privately with the maintainers of this project.

from ntia-conformance-checker.

Just a heads up @jspeed-meyers that I believe PyPI will require 2FA in order to push releases to PyPI (they do with Tern) so make sure to set that up and save the recovery codes they give you!

from ntia-conformance-checker.

Ah, thank you, @rnjudge.

from ntia-conformance-checker.