-
Type: Question
-
Resolution: Done
-
Priority: Minor - P4
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
We're working on collecting information about MongoDB Products' publishes to public distribution channels (DEVPROD-4940) to understand if we're compliant with the "Authorized publication on third party distribution channels" requirement of the SSDLC Policy
Please answer the following questions about releases/publishes for your product. There are 2 sections - one for 3rd party channels (like dockerhub, pypi, crates.io) and one for MongoDB-managed channels (like repo.mongodb.com, fastdl.mongodb.org). The compliance requirement currently specifies 3rd party channels, so it's a higher priority. But we'd also like to assess releases/publishes to our own distribution channels for security reasons.
I'll try to pre-populate some answers based on what we know today. Feel free to change that information if it's incorrect.
Feel free to re-assign this ticket or move to another project if needed. You can close the ticket after you answer the questions. Thank you!
For 3rd party distribution channels:
- What distribution channels do you publish to? E.g. PyPi, npmjs, dockerhub, etc
> RubyGems - Are there any publishing tasks that happen manually and/or outside of the CI/CD platforms? E.g. someone's workstation
> - Is publishing automated via CI/CD (evergreen, github actions, etc)? If yes, what platforms?
> - If automated via CI/CD, does publishing happen in the same project/repo as mainline commits/builds/tests or in a separate project/repo?
> - If automated via CI/CD, who can trigger a release or publish to public distribution channels? Only release managers, anyone on the team, anyone with write access to the git repo, etc?
> - If automated via CI/CD, does the release project have patch builds enabled? E.g. certain tasks can be triggered from CLI or PR without commits to the main git repo?
>
For MongoDB-managed distribution channels
- What distribution channels do you publish to? E.g. repo.mongodb.com/org, downloads.mongodb.com/org, etc
> - Are there any publishing tasks that happen manually and/or outside of the CI/CD platforms? E.g. someone's workstation
> - Is publishing automated via CI/CD (evergreen, github actions, etc)? If yes, what platforms?
> - If automated via CI/CD, does publishing happen in the same project/repo as mainline commits/builds/tests or in a separate project/repo?
> - If automated via CI/CD, who can trigger a release or publish to public distribution channels? Only release managers, anyone on the team, anyone with write access to the git repo, etc?
> - If automated via CI/CD, does the release project have patch builds enabled? E.g. certain tasks can be triggered from CLI or PR without commits to the main git repo?
>