Justin Erenkrantz wrote:
> --On Sunday, April 3, 2005 9:10 PM +0100 Max Bowsher <maxb@ukf.net> wrote:
>
>> If you would like to make them saved to a file, I think that's a
>> reasonable change to dist.sh.
>
> I had suggested on IRC on Friday adding MD5 and SHA1 signature files and
> that was rejected by the #svn crowd.
I don't think we should have individual per file ones - but how about a
single "subversion-x.y.z.checksums ?
>> I still think that is inappropriate for our official distribution script
>> to be facilitating signing before test, whilst we have a policy of
>> signatures meaning "I have tested this".
>
> My perspective that, by signing it at dist.sh time, the RM is saying that
> "This tarball is X.Y.Z and I created it." This allows the bootstrapping
> of the signature process by ensuring everyone that the RM has said this
> is my tarball.
>
> It would be possible (perhaps not likely?) for the RM to create the
> tarball and then immediately post the tarball to the mailing list. Yet,
> there needs to be some way to authenticate that the tarball is what the RM
> created. So, I think the intent of the RMs signature would be slightly
> different than a committers' signature because we need to ensure that it
> was what the RM created. -- justin
Ah, I see.
Ok, I'm convinced.
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 4 21:15:12 2005