collecting signatures for releases: thoughts on collect_sigs.py@{2011-12-04}

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sat, 4 Dec 2010 00:51:12 +0200

[ Summary: collect signatures for releases via a CGI that verifies
signatures and commits them to a Subversion repository. ]

We now have a CGI script[1] that collects the signatures for release,
verifies them, and assembles them into *.asc files. That automates
some work that previously fell upon the release manager.

Several features were suggested for the CGI:

* verify signatures as they are being collected [this was present in the CGI from day one]
* allow anyone (not just the RM) to retrieve collected signatures [this was implemented last week]
* notify dev@ upon new signatures
* notify IRC upon new signatures
* display statistics about the collected signatures

It seems to me that we could meet most of these requirements ---
specifically, the second, third, and fourth --- by storing the
signatures in a Subversion repository. We could continue meeting
the first requirement by using the signature-verifying CGI as a doorway;

Specifically, the suggested process is:

* Signatures would be entered into the CGI.
* The CGI would verify them (like today).
* The CGI would then commit them to the backing repository.
* Notification to dev@/IRC will be handled by standard post-commit hooks.

This addresses all but the 'statistics' criterion (which includes, for
example, reporting how many signatures each tarball currently has and
how are they distributed between Unix/Windows).

Thoughts?

Daniel

[1] http://work.hyrumwright.org/pub/svn/collect_sigs.py
http://svn.apache.org/repos/asf/subversion/trunk/tools/dist/collect_sigs.py
Received on 2010-12-03 23:54:46 CET

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]