On Sun, Aug 12, 2012 at 8:03 PM, Ben Reser <ben_at_reser.org> wrote:
> On Sun, Aug 12, 2012 at 8:22 AM, Daniel Shahaf <d.s_at_daniel.shahaf.name> wrote:
>> No. It makes them worse.
>>
>> Unless of course you expanded the tar and diff'd it --ignore-eol-style
>> against the zip you had built, in which case it does make them better.
>
> Maybe I'm being obtuse but isn't everyone signing checking the code
> against the branch (for every file they're signing)? That should be
> the absolute minimum anyone is doing before signing.
Well, I don't actually. But then again, I'm not stating that when I give my +1.
The community guide says [1]:
[[[
Signing a tarball means that you assert certain things about it. When
announcing your signature, indicate in the mail what steps you've
taken to verify that the tarball is correct, such as verifying the
contents against the proper tag in the repository. Running make check
over all RA layers and FS backends is also a good idea, as well as
building and testing the bindings.
]]]
So IIUC the most important thing is that you indicate explicitly what
you've done. In my case: testing several RA layers, and checking the
checksum and signatures.
[1] http://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing
--
Johan
Received on 2012-08-12 21:51:06 CEST