[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 1.7.6 Candidates

From: Ben Reser <ben_at_reser.org>
Date: Sat, 11 Aug 2012 21:13:56 -0700

On Sat, Aug 11, 2012 at 11:57 AM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> The idea is that a hypothetical malicious release manager could create
> tar.gz and tar.bz2 correctly but a malicious .zip file.
>
> We could write a release.py subcommand that compares the
> tar.gz/tar.bz2/zip to each other (and to the tag in svn.a.o). Then
> people can run
>
> release.py intercompare-tarballs && release.py sign-tarballs

+1

I'd encourage that anyone who uses something like this should review
the code before using it to determine that the release packaging
matches.
Received on 2012-08-12 06:14:39 CEST

This is an archived mail posted to the Subversion Dev mailing list.