Re: 1.7.6 Candidates

From: Ben Reser <ben_at_reser.org>
Date: Sat, 11 Aug 2012 21:13:56 -0700

On Sat, Aug 11, 2012 at 11:57 AM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> The idea is that a hypothetical malicious release manager could create
> tar.gz and tar.bz2 correctly but a malicious .zip file.
>
> We could write a release.py subcommand that compares the
> tar.gz/tar.bz2/zip to each other (and to the tag in svn.a.o). Then
> people can run
>
> release.py intercompare-tarballs && release.py sign-tarballs

I'd encourage that anyone who uses something like this should review
the code before using it to determine that the release packaging
matches.
Received on 2012-08-12 06:14:39 CEST

This message: [ Message body ]
Next message: Ben Reser: "Re: [PATCH] update configure.ac to follow new download location sqlite amalgamation"
Previous message: Ben Reser: "Re: 1.7.6 Candidates"
In reply to: Daniel Shahaf: "Re: 1.7.6 Candidates"
Next in thread: Mark Phippard: "Re: 1.7.6 Candidates"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]