Ben Reser <ben@reser.org> writes:
> b) Testing beta tarballs seems not very useful. This ignores that the
> tarball production setup is fairly brittle. You guys are used to one
> person doing it and doing it in a very controlled environment (I build
> tarballs out of chroot that never does anything but build tarballs so
> there aren't any unexpected changes to the release environment).
Are you saying that it would be difficult to build a source -beta
tarball followed by a true release tarball, such that the only
difference between them is the version label? (That's surprising, if
so.)
> What I'd much rather see is, that we cut tarballs as though they were
> releases and distribute them to developers for testing. When several
> developers sign off on testing then we post them for everyone else.
> I've always been thinking 3 or 4 developers.
>
> While this cuts out anyone that just randomly wants to test, it isn't
> based upon the presumption that if it's there people will test it. We
> know who tested it. And presumeably we know what procedures they
> followed to test it.
That's an independent proposal, I think. If we want to have 3 or 4
developers test it, we can do that as easily with beta tarballs as
with true-but-slightly-secret tarballs. The difference is that we
can't let the latter kind of tarball out where other people could test
it too. That seems a pretty large disadvantage...
> Additionally, I've wanted us to always produce multiple GPG signatures
> for every release. One person's GPG key being compromised shouldn't be
> sufficient to sign a hacked release. As things stand now if my key was
> ever compromised so are most of the releases we've made (or at least we
> can't be assured that they aren't).
+1, I'll be happy to sign.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Jan 14 20:45:08 2005