incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <...@daniel.shahaf.name>
Subject Re: Release procedural question
Date Fri, 02 Nov 2012 18:44:38 GMT
Chip Childers wrote on Fri, Nov 02, 2012 at 14:27:24 -0400:
> On Fri, Nov 2, 2012 at 9:26 AM, Chip Childers <chip.childers@sungard.com> wrote:
> > Hi all,
> >
> > In reading the release policy section about the detached signature
> > file and the voting process, there is a mention about allowing (at the
> > RM's discretion) other PMC members (in a podling's case, PPMC members)
> > to concatenate their own signature to the *.asc release artifacts as
> > part of their +1 vote.
> >
> > As the RM for the (currently being voted on) CloudStack release, I
> > have been provided with another PPMC member's detached signature.
> >
> > Can someone please confirm that, after validating that adding the
> > signature to the asc file works, I'm allowed to use the new combined
> > signature file as the final release artifact?  Is there anything that
> > I should be aware of when adding this second signature?
> >

In my experience, 'gpg --verify' sometimes verifies only the first
signature in a file.  Hence:

[[[
% cat ~/bin/gpg-verify-many
#!/bin/sh
# perl -pe 'open STDOUT, "| gpg --verify - subversion-1.7.0-rc1.tar.gz" if /BEGIN/' < *rc1*asc

usage() {
  echo "USAGE: $0 \$foo.tar.gz \$foo.tar.gz.asc"
  echo "USAGE: $0 \$foo.tar.gz <\$foo.tar.gz.asc"
}

if [ $# -ge 2 ]; then
  ascfile=""
else
  ascfile="$1.asc"
fi

perl -pe 'BEGIN { $target = shift }  open STDOUT, "| gpg --verify - $target" if /BEGIN/' "$@"
$ascfile
]]]

I don't know if that's still the case in more recent versions of gpg.

> > Thanks for the support and advice.
> >
> > -chip
> 
> Given the release policy [1] description of adding additional
> signatures to the release, and testing locally to ensure that the
> concatenated signature validates correctly, I will presume that this
> is a normal practice and move forward.
> 

It's normal practice.  Every Subversion release does it.

> Thanks!
> 
> -chip
> 
> [1] http://www.apache.org/dev/release.html#what-must-every-release-contain
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message