Rutherther <[email protected]> writes: >> What script was used to prepare your release announcement? Maybe Guix >> warrants its own custom script rather than gnulib's announce-gen, but >> some inspiration from a recent announcement may be useful: > > No script :) I wasn't aware of such scripts and it did not seem worth it > doing such scripts for just two e-mails.
Indeed! Scripts to generate announcements can be helpful to move things into CI/CD and getting to quicker release cycles, but I really prefer a manual v1.5.0 out and delaying getting to perfection until later :) >> https://lists.gnu.org/archive/html/bug-inetutils/2025-12/msg00017.html >> >> The actual wording isn't the important part, and some of this are >> opinonated but the important part are: >> >> 1) Direct URLs >> >> 2) SHA256 and SHA3-256 checksums. Format to use is somewhat >> opinionated, but the information is the important aspect. > > We can add sha3-256, I think previous releases also had only SHA256, but > I think it's fine to add it newly. Are you aware of a Guix package that > is able to calculate these hashes? I see that coreutils 9.8 has this, > but Guix has 9.1. Maybe rhash with --sha3-256 argument? Oh can't you upgrade coreutils?! Even Debian trixie ship with 9.7, it seems odd if Guix v1.5.0 ship with way older Coreutils. But getting v1.5.0 released is more important... Yes, rhash seems like a small well-maintained tool that supports this. And please use --base64, it is supported by modern CoreUtils too and makes for smaller checksums. root@hamster ~# echo foo > foo root@hamster ~# rhash --sha3-256 --base64 foo | tee foo.SHA3-256SUM UhjfEMDr47ONdP4AQNExmKxJZGpDutNzuR7Yh91zT88= foo root@hamster ~# rhash -c foo.SHA3-256SUM --( Verifying foo.SHA3-256SUM )------------------------------------------------- foo OK -------------------------------------------------------------------------------- Everything OK root@hamster ~# >> 3) Some explanation what the URLs and files actually are, like you >> already have, including commands for verification. > > Maybe we can also link the manual pages for installation of Guix. > As for commands for verification, could you elaborate on that? Do you > mean verification of the hashes, signatures, or like if someone wants to > reproduce them themselves? No I just meant the 'rhash -c' command above, so people have some pointer on how to use the checksums. If it is really simple to reproduce release artifacts, including that information too may be nice, but not critical IMO. /Simon
signature.asc
Description: PGP signature
