Quick show of hands: who is still using the binary nightly releases that we build and publish?
All of the folks I know are either using the project for dev or as a library. Please speak up if you are using the binary releases so that we can discuss support for them. If they are actively used, we may need to switch them to adhoc, based on a user action and running on secure runners.
I’m sure you all are aware of the increasing supply chain risk to public GA pipelines. While there are ways to mitigate these, it costs time/money and is a game of cat and mouse. The most effective thing to do for public community repos is to not have fancy automation that requires system initiated write access and can run on stock runners.
Relatedly, our pre/post submit CI is wrapped up in this and having issues. I would like to switch this to a more standard/secure setup but need to decouple it from the release pipeline to do so.
With the new FX based importer, we no longer have a binary dep on pytorch and this has allowed us to stop using distributed torch-mlir binaries entirely. I wasn’t going to rock the boat by disabling the older stuff just yet, but the security situation is upon us. I can’t keep running things the way they are as the exposure to myself is too large. If someone else would like to step up and take responsibility for this piece, I can hand it to you.
Unless if there are major objections, I’ll start unwinding this next week. By the end of the month, I will no longer be able to provide keys to keep the current automation running.