Hi Ludovic, Ludovic Courtès <l...@gnu.org> writes: > What would you think of releasing ‘stable-2.2’ as 2.2.5?
I think it's a fine idea. > It’s great if you can do it, Mark, but otherwise I can do it. Regrettably, Guile 2.2 has become too heavy to build on the only machine in my possession that I have any trust in. I don't have a machine that I consider sufficiently trustworthy to produce build outputs for wider distribution. I'm not sure that any of us do. To mitigate the risk that a compromised development machine could be used to attack others, I propose that we adopt a practice of distributed verification of release tarballs. We would publish code that uses Guix to produce the release tarball deterministically, and put out a call for volunteers to generate the tarball and post signed declarations containing the hash of the resulting tarball. After we have received several such declarations, we can sign and publish the official tarball. What do you think? Mark