cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bowser <bows...@gmail.com>
Subject Re: Voting on past releases
Date Tue, 25 Feb 2014 22:47:53 GMT
I'm just going to leave this here:

http://git-scm.com/book/en/Getting-Started-Git-Basics

http://wiki.apache.org/cordova/CuttingReleases
On 25 Feb 2014 14:38, "sebb" <sebbaz@gmail.com> wrote:

> On 25 February 2014 21:47, Michal Mocny <mmocny@chromium.org> wrote:
> > Some tips, since I found this a pain to figure out.  To verify the sha
> file
> > matches:
> >
> >> gpg --print-md SHA512 *.zip | diff - *.sha && echo "Exact match"
> >> gpg --print-md MD5 *.zip | diff - *.md5 && echo "Exact match"
> >
> > Oddly the output of gpg is different than that of sha512sum and md5sum so
> > you cannot use those commands to --check the sums, ugh.  (We should
> > consider changing the way we generate those files, no?).
> >
> > I'm still trying to figure out how to make sure the zip is signed
> > correctly, but am having issues setting up my KEYS.
> >
> > All-in-all I don't think this is that useful of a process to do, since to
> > be really confident you would have to create the full release zip from
> > scratch from source control yourself and compare *that* to the hosted zip
> > to make sure we releasing what you think we are (as is we are just
> > verifying the download isn't corrupt).  But I wanted to go through the
> > process.
>
> I thought the idea was to compare the released zip with the source repo?
> i.e. unpack the release, and compare it with the contents of the tags
> in the repo.
>
> If all the files in the release zip have exact matches in a repo tag,
> then the release zip must be OK .
>
> If any zip files are missing from the repo, then this is a potential
> problem from the point of view of whether the file is suitably
> licensed.
>
> If repo files are missing from the zip, then perhaps there was an
> error creating the release.
> For a past release, that is not an issue - but of course it may be
> necessary to fix the process for the future.
>
> >
> >
> > On Tue, Feb 25, 2014 at 3:33 PM, Lorin Beer <lorin.beer.dev@gmail.com
> >wrote:
> >
> >> I've just submitted my +1 for a number of the past releases, and thought
> >> I'd document here what the steps I took were.
> >>
> >> Since these are past releases, some of which I helped tag and have
> already
> >> run, the checklist is slightly simplified:
> >>
> >> - download package
> >> - sanity check package for expected release artifacts
> >> - tags are correct
> >> - commit hash matches the source
> >>
> >>
> >> On Tue, Feb 25, 2014 at 11:35 AM, Steven Gill <stevengill97@gmail.com
> >> >wrote:
> >>
> >> > It has been brought to our attention that some of our previous
> releases
> >> > were not voted on in accordance with the ASF by-laws. After some
> >> > discussion, we've decided to call a retroactive vote on these
> releases. A
> >> > vote is being conducted by the PMC and the results will be posted here
> >> when
> >> > complete.
> >> >
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message