[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Document tarball signing

From: mark benedetto king <mbk_at_lowlatency.com>
Date: 2005-11-22 22:37:01 CET

Some typos/nits:

On Tue, Nov 22, 2005 at 09:44:30PM +0100, Peter N. Lundblad wrote:
> +<p>Before a release or release candidate is offocially made public, it is


> +made available in a temporary location for committers to test and sign.
> +The point is to have the tarballs tested on more systems than that of the
> +person who rolled the release. When there are three signs from full

"three signatures".

I think another point of the additional signatures is increased security;
a consumer might not trust a single release manager not to have trojaned
the release. I don't know if that bears mentioning here, though.

> +committers for each of the <tt>.tar.bz2</tt, <tt>.tar.gz</tt> and
> +<tt>.zip</tt> files, the release (candidate) can go public.</p>
> +
> +<p>After having extracted and tested the tarball, you should sign it using
> +gpg, to indicate that you've checked this
> +particular package. To do so, use a command like:</p>
> +
> +<pre>
> + gpg --sign --armor --detach-sign subversion-1.3.0-rc4.tar.bz2
> +</pre>
> +

Should we independently export and verify that the release tarball
is a true copy of the tag before signing?


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Nov 22 22:35:00 2005

This is an archived mail posted to the Subversion Dev mailing list.