On Tue, May 15, 2012 at 11:16 AM, C. Michael Pilato <[email protected]> wrote: > On 05/15/2012 11:04 AM, Philip Martin wrote: >> Philip Martin <[email protected]> writes: >> >>> Please add your signatures to the .asc files there. >>> You can use the release.py script for this: >>> release.py sign-candidates --target /path/to/dist/dev/subversion/wc 1.7.5 >>> which is the equivalent of running the following command for each >>> tarball: >>> gpg -ba -f - subversion-1.6.18.tar.bz2 >> subversion-1.6.18.tar.bz2.asc >> >> I copied this from previous announcements but I'm not sure the release >> process is right here. The "release.py sign-candidates" suggestion >> implies that we expect people to sign all the files but for previous >> releases, when I was not release manager, I only signed the Unix >> tarballs since that is what I tested. If people sign all the files it >> makes it harder to determine whether we have the required number of >> Windows/Unix signatures. >> >> We currently have 5 signatures on the Unix tarballs and 6 signatures on >> the Windows zip file but from the mails to dev I believe that 1.7.5 >> still requires another "real" Windows signature. > > I've never signed the Windows ZIP files, and don't see why I should when I > haven't personally verified their content. I suspect Johan and Paul are the > only folks who've really tested the release on Windows.
Yes, I only verified and tested (on Windows) the subversion-1.7.5.zip file. This is how I've always done it. I'm happy to sign the tarballs too, but I think it makes more sense to return to our de facto standard of only signing what we test. -- Paul T. Burba CollabNet, Inc. -- www.collab.net -- Enterprise Cloud Development Skype: ptburba
