On Sat, Aug 11, 2012 at 2:57 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> Mark Phippard wrote on Fri, Aug 10, 2012 at 09:30:01 -0400:
>> On Fri, Aug 10, 2012 at 9:06 AM, Philip Martin
>> <philip.martin_at_wandisco.com> wrote:
>> > Justin Erenkrantz <justin_at_erenkrantz.com> writes:
>> >
>> >> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
>> >> <philip.martin_at_wandisco.com> wrote:
>> >>> Subversion 1.7.6 tarballs are now available for testing/signing by
>> >>> committers. To obtain them please check out a working copy from
>> >>> https://dist.apache.org/repos/dist/dev/subversion
>> >>
>> >> +1 for release.
>> >>
>> >> Tested on Mac OS X 10.7.4.
>> >>
>> >> All tests pass (even the one that C-Mike pointed out failed for him).
>> >>
>> >> BTW, I used the release.py script...which signed all of the release
>> >> files. *shrug*
>> >
>> > You didn't have to commit all the files! You can also sign the files
>> > manually without using release.py.
>> >
>> > I signed all the files as release manager but while I looked at the zip
>> > file I didn't build/test it. When signing releases in the past I signed
>> > only the files I tested. I suppose we should extend release.py to
>> > support signing a subset.
>>
>> I have sometimes wondered why we do not all sign all of the files.
>
> The idea is that a hypothetical malicious release manager could create
> tar.gz and tar.bz2 correctly but a malicious .zip file.
But if we still require three +1's from Windows testers and three from
Unix testers does that not take care of it? Paul and I tested and
signed the Windows zip file. Doesn't it make the signatures of the
Unix tar's "better" if we also signed those? Likewise, if C-Mike,
Philip and Justin signed the Windows zip files it seems like that
would also be "better".
They would not be giving a binding Windows +1, just adding their
signatures to the files.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2012-08-12 00:06:51 CEST