On Fri, Aug 23, 2019 at 3:00 PM Daniel Klco <daniel.k...@gmail.com> wrote: > ...I'm just not convinced of the > value re-implementing in Java brings vs a few simple bash commands...
+1, IMO what's important is for the tools used to be traceable, for example by including digests of scripts (or Docker images?) in their output and having people validate those digests before running the tools. The OpenWhisk release checking script [1] does that: echo "$(basename $0) (script SHA1: $(gpg --print-md SHA1 $0 | cut -d' ' -f2-))" So that when someone pastes the script output in their vote message, it points to the exact version of the tool that was used, assuming people check the script's digest when running it. -Bertrand [1] https://github.com/apache/openwhisk-release/blob/master/tools/rcverify.sh
