On Sat, Mar 30, 2024 at 06:29:48PM +0100, Daniel Stenberg via curl-library
wrote:
> Any proposals for how to document the exact set of tools+versions I use for
> each release in case someone in the future wants to reproduce an ancient
> release tarball?
SPDX seems to be the standard SBOM format
On Sat, 30 Mar 2024, Jeffrey Walton wrote:
If I am not mistaken, you usually take the Autools gear that is
provided by the distro. There's no need to chase m4 files.
I'm talking about these m4 files:
$ ls -l m4/*m4 | wc -l
28
They are our custom autoconf functions.
However, you should
On Sat, 30 Mar 2024, Daniel Stenberg via curl-library wrote:
For the most recent curl release, my toolset that I believe might affect the
results include:
Since I do all releases on Debian Linux and they occasionally apply patches
that make them deviate from the upstream versions, it was
I usually checkin the gpg signatures of the downloaded artifacts (which I have
checked against verified keys) and make that part of the tag.
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
On Sat, Mar 30, 2024 at 2:40 PM Daniel Stenberg via curl-library
wrote:
>
> On Sat, 30 Mar 2024, Howard Chu wrote:
>
> > IMO only project developers should ever be touching the autotools.
> ...
>
> > Only our release engineer ever generates the configure script, and it's
> > committed to the repo
On Sat, 30 Mar 2024, Howard Chu wrote:
IMO only project developers should ever be touching the autotools.
...
Only our release engineer ever generates the configure script, and it's
committed to the repo along with everything else.
For people using releases, it does not matter since the
On Sat, 30 Mar 2024, jim.ful...@webcomposite.com wrote:
While we are here … can we outline all processes to tarball - for example I
see no signing step
I did not mention signing because it does not strictly affect the tarball as
the signature is separate. I gpg sign every release and have
Daniel Stenberg via curl-library wrote:
> Hello,
>
> In the light of the xz attack, I would like to mention that in order to
> reproduce the tarballs I upload for curl release, this is necessary:
>
> - Clone the repo and checkout the release tag
>
> - Install the same set of tools + versions I
Hello,
In the light of the xz attack, I would like to mention that in order to
reproduce the tarballs I upload for curl release, this is necessary:
- Clone the repo and checkout the release tag
- Install the same set of tools + versions I use
- run "./maketgz [version]"
For the most recent