[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 1.7.6 Candidates

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Sun, 12 Aug 2012 16:22:01 +0100

Mark Phippard wrote on Sat, Aug 11, 2012 at 18:06:18 -0400:
> On Sat, Aug 11, 2012 at 2:57 PM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
> > Mark Phippard wrote on Fri, Aug 10, 2012 at 09:30:01 -0400:
> >> On Fri, Aug 10, 2012 at 9:06 AM, Philip Martin
> >> <philip.martin_at_wandisco.com> wrote:
> >> > Justin Erenkrantz <justin_at_erenkrantz.com> writes:
> >> >
> >> >> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin
> >> >> <philip.martin_at_wandisco.com> wrote:
> >> >>> Subversion 1.7.6 tarballs are now available for testing/signing by
> >> >>> committers. To obtain them please check out a working copy from
> >> >>> https://dist.apache.org/repos/dist/dev/subversion
> >> >>
> >> >> +1 for release.
> >> >>
> >> >> Tested on Mac OS X 10.7.4.
> >> >>
> >> >> All tests pass (even the one that C-Mike pointed out failed for him).
> >> >>
> >> >> BTW, I used the release.py script...which signed all of the release
> >> >> files. *shrug*
> >> >
> >> > You didn't have to commit all the files! You can also sign the files
> >> > manually without using release.py.
> >> >
> >> > I signed all the files as release manager but while I looked at the zip
> >> > file I didn't build/test it. When signing releases in the past I signed
> >> > only the files I tested. I suppose we should extend release.py to
> >> > support signing a subset.
> >>
> >> I have sometimes wondered why we do not all sign all of the files.
> >
> > The idea is that a hypothetical malicious release manager could create
> > tar.gz and tar.bz2 correctly but a malicious .zip file.
>
> But if we still require three +1's from Windows testers and three from
> Unix testers does that not take care of it? Paul and I tested and
> signed the Windows zip file. Doesn't it make the signatures of the
> Unix tar's "better" if we also signed those? Likewise, if C-Mike,

No. It makes them worse.

Unless of course you expanded the tar and diff'd it --ignore-eol-style
against the zip you had built, in which case it does make them better.

> Philip and Justin signed the Windows zip files it seems like that
> would also be "better".
>
> They would not be giving a binding Windows +1, just adding their
> signatures to the files.
Received on 2012-08-12 17:22:38 CEST

This is an archived mail posted to the Subversion Dev mailing list.