On Sun, Feb 08, 2015 at 09:04:28PM +0100, Nikos Mavrogiannopoulos wrote:
> On Sat, 2015-02-07 at 23:01 +0100, Phil Sutter wrote:
> > - Fixed 'make dist', replacing most of the manual work in it with a
> > simple call to 'git archive' while doing so.
> > - Incremented Makefile's VERSION variable.
> > - Tagged master with my own signature.
> > - Used 'make dist' to create a new tarball and signature, which I
> > uploaded to gna.org.
> > - pushed master along with the new tag to Github. (Actually, I pushed
> > all earlier tags by accident as well ...)
>
> It looks fine to me. Maybe the tarballs in gna.org are superfluous. The
> releases are already available as tarballs in
> https://github.com/cryptodev-linux/cryptodev-linux/releases
> If you make the tag with "-s" I guess that's equivalent to signing the
> tarball. But I haven't actually checked that.
Hmm, indeed. Although Github obviously does not understand the tag
naming scheme. Therefore the tarball's basename and it's internally used
prefix is 'cryptodev-linux-cryptodev-linux-1.7'. Obviously they are
created using git-archive as well, so at least for 1.7 the content is
identical.
Regarding signed tags: signature verification is only possible with the
actual tag in git at hand ('git tag -v cryptodev-linux-1.7' in this
case). The Github generated tarballs are stripped from any git info
(besides .gitignore), of course. So in fact, data integrity can only be
fully assured by fetching the tarball with associated signature from
gna.org.
Cheers, Phil
_______________________________________________
Cryptodev-linux-devel mailing list
Cryptodev-linux-devel@gna.org
https://mail.gna.org/listinfo/cryptodev-linux-devel
