Good morning Albert, On Monday, 20 August 2018 23:45:14 CEST Albert Astals Cid wrote: > > > You mean you're afraid somebody hacked on freedesktop git and > > > replaced > > > https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0 > > > to a different commit than the one that I originally tagged? > > > > I think he meant the tarballs, which in Poppler are released without > > any checksum. > > Ah, right, i was thinking he meant the git hash and not the hash of the > tarball itself :D > > I guess i can sign the packages, i'm doing it when releasing KDE > Applications so it's not more work.
thank you very much, it's highly appreciated! Yes, I meant the tarballs. The same thing theoretically applies to an *unsigned* git tag, but if someone manages to replace that, other people will notice very soon on the next update to their local tree. -> a signed tarball will do :) > I'll try to remember for next release. for releases of libftdi (=library for certain USB serial converters), I started to create a release checklist: http://developer.intra2net.com/git/?p=libftdi;a=blob;f=doc/release-checklist.txt Over the years it were just too many steps to remember :) Cheers, Thomas _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
