[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: PROPOSAL: GPG Signing of Releases

From: Ben Reser <ben_at_reser.org>
Date: 2004-04-06 21:39:43 CEST

On Tue, Apr 06, 2004 at 01:07:19PM -0500, kfogel@collab.net wrote:
> Ben Reser <ben@reser.org> writes:

> >The RM will also make themselves available on IRC in order to verify
> >the md5sum.
> And phone is fine too :-).

Sure. Any communication medium we can use is fine with me. I used IRC
above becuase releases tend to "happen on IRC."

> Indeed, the testing part is entirely independent of the
> verification/signing part. (Technically it doesn't even need to be
> part of this proposal, therefore.)

Agreed. The testing wouldn't be required. I personally will do this.
What other poeple really want to do is up to them.

> Note that you can verify (say) the gzip package, then unpack the bzip2
> and do a 'diff -r' between the two trees. If there's no difference,
> you can sign the bzip2 package as well.

Between the gzip and bzip2 package this is true. I think you'll need -w
to do the zip file one because of the CRLF vs LF thing. But that's not
even happening yet.

> > I'm not sure when we can start doing this. We need to get web of trust
> > issues worked out as best as we can with individual developers. So
> > I'm not thinking this is a 1.0.2 time frame thing. But maybe 1.0.3 or
> > 1.1.0 thing.
>
> I think we can get a web of trust for 1.0.2 pretty easily. We've got
> four developers in the same room over here, plus we can all easily
> verify (via personal information) with Sander Striker, Greg Stein,
> Daniel Rall, and others. It shouldn't be hard to spread such a broad
> core out to include a lot of people pretty fast.

Sure, it just depends on how ambitious we want to be. I personally need
to get together with one of the Debian guys up here. The guy I know can
do it for me was out of town when I last asked. He should be back now.
So I should drop another email.

-- 
Ben Reser <ben@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 6 21:40:18 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.