[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Document tarball signing

From: <kfogel_at_collab.net>
Date: 2005-11-22 23:32:47 CET

mark benedetto king <mbk@lowlatency.com> writes:
> On Tue, Nov 22, 2005 at 04:12:52PM -0600, kfogel@collab.net wrote:
> > mark benedetto king <mbk@lowlatency.com> writes:
> > > Should we independently export and verify that the release tarball
> > > is a true copy of the tag before signing?
> >
> > I actually diff it against the release branch and make sure (with
> > Emacs' help, esp M-x delete-non-matching-lines) that all differences
> > are expected and innocuous. I suppose I could diff against the tag
> > too.
>
> Right, a branch WC is more likely to be handy, and your process serves
> the same purpose. Perhaps we should make this an explicit step,
> though, so that signers understand what their signature should entail.

Again, I think: let's just recommend it, and tell people to always
state in their signature post exactly what testing/verification they
did. (I didn't state the tree comparison step in my sig mail because
I haven't actually done it yet, though I will later tonight.)

IOW, a signature should mean "I certify that the following things are
true about this tarball: X, Y, Z." It's up to the poster what X, Y,
and Z are, and it's up to us as a community whether the union of
everyone's different Xs, Ys, and Zs satisfies the requirements for a
release.

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Nov 23 00:54:43 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.