Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: reproducing release tarball for 5.0.7



On Thu, Oct 09, 2014 at 08:16:29PM +0000, Phil Pennock wrote:
> Folks,
>
> Given a clean repository checkout, what is needed to be able to create
> the release tarballs for verification please?

Hello Peter,

How do you feel about providing GPG signatures for the tarballs
and the git tags? This would fix this issue and make it possible
for everybody to verify zsh's releases. For example Debian has
tools to automatically verify the upstream tarball after the
download if upstream provides signatures. This allows maintainers
to be sure they downloaded the correct tarball.

If you like I could prepare a patch for the Makefile to sign the
resulting tarballs, so a "make sign" is the only required action.
For Git it's even easier, instead of git tag $tag, you can just
use git tag -s -m 'optional message' $tag and it will be signed.
I'm already using signed tags for the website.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

Attachment: signature.asc
Description: Digital signature



Messages sorted by: Reverse Date, Date, Thread, Author