subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb AT ASF <s...@apache.org>
Subject Re: svn commit: r1838746 - /subversion/site/staging/download.html
Date Sat, 25 Aug 2018 16:06:31 GMT
On 25 August 2018 at 13:44, Stefan <luke1410@posteo.de> wrote:
> On 25/08/2018 14:37, Stefan wrote:
>> On 23/08/2018 20:01, sebb@apache.org wrote:
>>> Author: sebb
>>> Date: Thu Aug 23 18:01:30 2018
>>> New Revision: 1838746
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1838746&view=rev
>>> Log:
>>> SVN-4736 - fix gpg command
>>>
>>> Modified:
>>>     subversion/site/staging/download.html
>>>
>>> Modified: subversion/site/staging/download.html
>>> URL: http://svn.apache.org/viewvc/subversion/site/staging/download.html?rev=1838746&r1=1838745&r2=1838746&view=diff
>>> ==============================================================================
>>> --- subversion/site/staging/download.html (original)
>>> +++ subversion/site/staging/download.html Thu Aug 23 18:01:30 2018
>>> @@ -253,7 +253,7 @@ Other mirrors:
>>>  <em>or</em><br />
>>>  <code>
>>>  % gpg --import subversion.asc<br />
>>> -% gpg --verify subversion-[version].tar.gz.asc
>>> +% gpg --verify subversion-[version].tar.gz.asc subversion-[version].tar.gz
>> Testing GPG locally (2.2.8 - Windows 10 - bundled version with Gpg4Win
>> 3.1.2) running the command w/o specifying the filename of the gz archive
>> works fine:
>> "gpg: assuming signed data in 'subversion-1.10.2.tar.bz2' [...]"
>>
>> Is this command problematic with older GPG versions? If not, why not
>> keep the command as short as possible and rely on the default resolution
>> of the archive name?
> Just saw the referenced SVN issue with the link which gives the missing
> rational for that change. Thanks for that (should have spotted it before
> replying). For the record:

Would it be useful to link to the explanation from the download page?

> "If the release file is omitted, GPG will only check the signature
> against the release file if the signature is a detached signature. If
> the .asc file is a self-contained signed file, GPG will only check that,
> and will not verify the release. (This should not happen if the
> signature file was downloaded from an ASF server, but it is safer to
> always specify the release filename)" [1]
>
> That said, +1 on that change. Feel free to merge it to publish.
>
> [1] https://www.apache.org/info/verification.html#CheckingSignatures
>>>  </code></p>
>>>
>>>  <p>Alternatively, you can verify the checksums on the
>>>
>>
> Regards,
> Stefan
>

Mime
View raw message