Re: svn commit: r13872 - trunk

--On Sunday, April 3, 2005 9:10 PM +0100 Max Bowsher <maxb@ukf.net> wrote:

> If you would like to make them saved to a file, I think that's a
> reasonable change to dist.sh.

I had suggested on IRC on Friday adding MD5 and SHA1 signature files and
that was rejected by the #svn crowd.

> Um, what? How is a tarball going to change without the concious activity
> of the RM?

Corruption and so forth. As an RM, I was constantly copying the tarball
around to machines as I started the testing process. Therefore, I was
looking for a way to ensure that it is the tarball that I created.

A PGP signature is, IMO, the easiest way to ensure that it is what I
created.

> I still think that is inappropriate for our official distribution script
> to be facilitating signing before test, whilst we have a policy of
> signatures meaning "I have tested this".

My perspective that, by signing it at dist.sh time, the RM is saying that
"This tarball is X.Y.Z and I created it." This allows the bootstrapping of
the signature process by ensuring everyone that the RM has said this is my
tarball.

It would be possible (perhaps not likely?) for the RM to create the tarball
and then immediately post the tarball to the mailing list. Yet, there
needs to be some way to authenticate that the tarball is what the RM
created. So, I think the intent of the RMs signature would be slightly
different than a committers' signature because we need to ensure that it
was what the RM created. -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 4 19:50:50 2005