[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: automatically verifying PGP sigs on dist.a.o Re: Moving our dist area to svnpubsub

From: Konstantin Kolinko <knst.kolinko_at_gmail.com>
Date: Tue, 14 Feb 2012 01:40:53 +0400

2012/2/13 Daniel Shahaf <d.s_at_daniel.shahaf.name>:
> [CC += infra]
> Hyrum K Wright wrote on Mon, Feb 13, 2012 at 09:08:26 -0600:
>> On Mon, Feb 13, 2012 at 9:02 AM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
>> > Currently we publish releases by uploading them to a specified directory
>> > on scp://people.apache.org/.
>> >
>> > Infra would like to move from this model to a model where releases are
>> > stored in a Subversion repository[1].
>> >
>> > I suggest that we join a few other PMC's who had already converted.  The
>> > impact on us is that we'll be uploading releases by committing to
>> > [1]/subversion, rather than by scp'ing them.  It will also shorten the
>> > wait period on mirroring new releases from 25 hours to 24 hours.
>> >
>> > Barring objections I'll follow up with infra in a few days to make this
>> > happen.
>> That would be awesome.  Despite my past obstinacy, I'm particularly
>> attracted to the part where PMC members would be able to directly
>> commit their signatures to the release area, where something (an
>> svnpubsub instance?) then verifies the sigs.
> +1.
> As to the implementation: we could run something off of svnpubsub to
> verify the signatures, but I wonder if it'd make more sense to do that
> ASF-wide in the pre-commit hook on dist.apache.org.  Infra people ---
> thoughts?

Afaik there is already a cron job that does verification,
-> pgp checks
-> sig/md5 checker documentation

Do you think that the hook should verify that the key is "trusted" and
reject the commit, or just nag? I, personally, would prefer nagging as
there might be different issues, and PMC may need some time to resolve
the issue.

Best regards,
Konstantin Kolinko
Received on 2012-02-13 22:41:31 CET

This is an archived mail posted to the Subversion Dev mailing list.