El dimarts, 21 d’agost de 2018, a les 9:28:26 CEST, Thomas Jarosch va escriure: > Good morning Albert, > > On Monday, 20 August 2018 23:45:14 CEST Albert Astals Cid wrote: > > > > You mean you're afraid somebody hacked on freedesktop git and > > > > replaced > > > > https://cgit.freedesktop.org/poppler/poppler/tag/?h=poppler-0.67.0 > > > > to a different commit than the one that I originally tagged? > > > > > > I think he meant the tarballs, which in Poppler are released without > > > any checksum. > > > > Ah, right, i was thinking he meant the git hash and not the hash of the > > tarball itself :D > > > > I guess i can sign the packages, i'm doing it when releasing KDE > > Applications so it's not more work. > > thank you very much, it's highly appreciated! > > Yes, I meant the tarballs. The same thing theoretically applies to an > *unsigned* git tag, but if someone manages to replace that, other people > will notice very soon on the next update to their local tree. > > -> a signed tarball will do :) > > > I'll try to remember for next release. > > for releases of libftdi (=library for certain USB serial converters), > I started to create a release checklist: > http://developer.intra2net.com/git/?p=libftdi;a=blob;f=doc/release-checklist.txt
Don't worry, i have a checklist ;) Cheers, Albert > > Over the years it were just too many steps to remember :) > > Cheers, > Thomas > > > > _______________________________________________ > poppler mailing list > [email protected] > https://lists.freedesktop.org/mailman/listinfo/poppler > _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
