raboof commented on issue #385: URL: https://github.com/apache/tooling-trusted-releases/issues/385#issuecomment-3607250741
> the release should be unambiguously identified already by its subject While this is ideally the case, I like the clarity of explicitly including git and archive hashes in my vote itself: if I vote on "the tarball on svn/ATR/...", there is some risk of something somewhere tricking me into verifying something other than the 'real' release, or of a consumer of the software being tricked into downloading something that is different from the 'real' release assuming it's the thing I voted on. Of course we have all kinds of safeguards against that in various places, but I think including the vcs hash and/or archive hash directly in the vote email gives a satisfying direct 'paper trail' to tie things together - and those are rather long/impractical to include in the subject. > Allowing a template for voters to include in the body of their email is tracked by [#332](https://github.com/apache/tooling-trusted-releases/issues/332). I've increased the priority of that issue very slightly. Thanks > Are these existing three issues ([#315](https://github.com/apache/tooling-trusted-releases/issues/315), [#363](https://github.com/apache/tooling-trusted-releases/issues/363) with tag or revision as default, and [#332](https://github.com/apache/tooling-trusted-releases/issues/332)) sufficient to resolve this? I think so, let's close this -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
