Stamatis, thanks for your work on this.

Stamatis>The checksum hash that was communicated in the vote email was wrong
Stamatis>that the correct one was send along with the artifacts and people
used this
Stamatis>for the checks I assume there is no problem.

I'm inclined that we should vote with -1 (or wait for RM to send the
updated checksum) when checksum in the mail does not match to the checksum
of the archive.

Well, it is OK, if release manager sends updates, however it should not be
the case that actual checksum
differs from the one that was suggested in the vote mail.

Different checksums might mean there's MITM attempt, and it sounds wrong
that we "kind of ignore it".
Even though I agree the impact in this case was quite low (e.g. I've
personally verified PGP signature and ensured it was SHA512 based), we
would probably want to refrain from repeating that practice.

I would like to follow to simplify release


Reply via email to