Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: reproducing release tarball for 5.0.7

X-seq: zsh-workers 33442
From: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: reproducing release tarball for 5.0.7
Date: Sun, 12 Oct 2014 18:00:13 +0100
In-reply-to: <20141011001908.GA18706@ruderich.org>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20141009201629.GA10638@tower.spodhuis.org> <20141011001908.GA18706@ruderich.org>

On Sat, 11 Oct 2014 02:19:08 +0200
Simon Ruderich <simon@xxxxxxxxxxxx> wrote:
> How do you feel about providing GPG signatures for the tarballs
> and the git tags? This would fix this issue and make it possible
> for everybody to verify zsh's releases. For example Debian has
> tools to automatically verify the upstream tarball after the
> download if upstream provides signatures. This allows maintainers
> to be sure they downloaded the correct tarball.
> 
> If you like I could prepare a patch for the Makefile to sign the
> resulting tarballs, so a "make sign" is the only required action.
> For Git it's even easier, instead of git tag $tag, you can just
> use git tag -s -m 'optional message' $tag and it will be signed.
> I'm already using signed tags for the website.

Could do, guess we need a new key for this.

pws

Follow-Ups:
- Re: reproducing release tarball for 5.0.7
  - From: Phil Pennock

References:
- reproducing release tarball for 5.0.7
  - From: Phil Pennock
- Re: reproducing release tarball for 5.0.7
  - From: Simon Ruderich

Messages sorted by: Reverse Date, Date, Thread, Author