All,
I spent some time today verifying that the release artifacts that Mark
published the other day for 10.1.5 were indeed reproducible by me.
Fortunately, they were, but it was a little bit of a process so I went
ahead and documented it.
https://cwiki.apache.org/confluence/display/TOMCAT/Verifying+a+Release+Build
Now, anybody can follow those instructions and perform a verifiable
release build and sure that the process truly is repeatable and verifiable.
I'd love it if anyone who is mildly interested in such things would (a)
check my work in Confluence and (b) actually try the verification
process on any of this month's builds to see if you are successful.
Some things on my TODO list for this:
1. Allow verification without having to install+configure GPG
2. Allow verification using a "verify" ant build target
This should be as straightforward as possible, so anyone wanting to
see what is being done isn't confused by byzantine ant stuff. It
should be as straightforward as a shell script with no functions
or loops.
Unfortunately, the existing ant script contains <property> tasks at the
top-level and not in a <target>, so they occur before all targets. That
means that we either need to have users wanting to verify builds
create/modify one of the several build.properties files, or specify some
properties on the command-line e.g. to disable GPG.
I could also write a separate build-verify.xml which might be a bit more
straightforward to both implement AND read by a potential verifier.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
