On Tue, May 15, 2012 at 11:16:13AM -0400, C. Michael Pilato wrote:
> On 05/15/2012 11:04 AM, Philip Martin wrote:
> > Philip Martin <philip.martin_at_wandisco.com> writes:
> >
> >> Please add your signatures to the .asc files there.
> >> You can use the release.py script for this:
> >> release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.5
> >> which is the equivalent of running the following command for each
> >> tarball:
> >> gpg -ba -f - subversion-1.6.18.tar.bz2 >> subversion-1.6.18.tar.bz2.asc
> >
> > I copied this from previous announcements but I'm not sure the release
> > process is right here. The "release.py sign-candidates" suggestion
> > implies that we expect people to sign all the files but for previous
> > releases, when I was not release manager, I only signed the Unix
> > tarballs since that is what I tested. If people sign all the files it
> > makes it harder to determine whether we have the required number of
> > Windows/Unix signatures.
> >
> > We currently have 5 signatures on the Unix tarballs and 6 signatures on
> > the Windows zip file but from the mails to dev I believe that 1.7.5
> > still requires another "real" Windows signature.
>
> I've never signed the Windows ZIP files, and don't see why I should when I
> haven't personally verified their content. I suspect Johan and Paul are the
> only folks who've really tested the release on Windows.
I visually inspected the differences between the tarballs and the
zip file before signing. But I didn't run tests on Windows.
I thought the platform that people test on would count towards the
required amount of sigs for the platform. And that those who didn't
test a particular archive could still sign the archive without affecting
the count of per-platform test runs.
But I would not object to changing release.py in a way that allows
signatures only on archives tested.
Received on 2012-05-15 17:45:26 CEST