On Tue, May 15, 2012 at 11:16 AM, C. Michael Pilato <cmpilato_at_collab.net> wrote:
> On 05/15/2012 11:04 AM, Philip Martin wrote:
>> Philip Martin <philip.martin_at_wandisco.com> writes:
>>
>>> Please add your signatures to the .asc files there.
>>> You can use the release.py script for this:
>>> release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.5
>>> which is the equivalent of running the following command for each
>>> tarball:
>>> gpg -ba -f - subversion-1.6.18.tar.bz2 >> subversion-1.6.18.tar.bz2.asc
>>
>> I copied this from previous announcements but I'm not sure the release
>> process is right here. The "release.py sign-candidates" suggestion
>> implies that we expect people to sign all the files but for previous
>> releases, when I was not release manager, I only signed the Unix
>> tarballs since that is what I tested. If people sign all the files it
>> makes it harder to determine whether we have the required number of
>> Windows/Unix signatures.
>>
>> We currently have 5 signatures on the Unix tarballs and 6 signatures on
>> the Windows zip file but from the mails to dev I believe that 1.7.5
>> still requires another "real" Windows signature.
>
> I've never signed the Windows ZIP files, and don't see why I should when I
> haven't personally verified their content. I suspect Johan and Paul are the
> only folks who've really tested the release on Windows.
Yes, I only verified and tested (on Windows) the subversion-1.7.5.zip
file. This is how I've always done it. I'm happy to sign the
tarballs too, but I think it makes more sense to return to our de
facto standard of only signing what we test.
--
Paul T. Burba
CollabNet, Inc. -- www.collab.net -- Enterprise Cloud Development
Skype: ptburba
Received on 2012-05-15 17:41:47 CEST