subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <>
Subject collecting signatures for releases: thoughts on{2011-12-04}
Date Fri, 03 Dec 2010 22:51:12 GMT
[ Summary: collect signatures for releases via a CGI that verifies
signatures and commits them to a Subversion repository. ]

We now have a CGI script[1] that collects the signatures for release,
verifies them, and assembles them into *.asc files.  That automates
some work that previously fell upon the release manager.

Several features were suggested for the CGI:

* verify signatures as they are being collected [this was present in the CGI from day one]
* allow anyone (not just the RM) to retrieve collected signatures [this was implemented last
* notify dev@ upon new signatures
* notify IRC upon new signatures
* display statistics about the collected signatures

It seems to me that we could meet most of these requirements ---
specifically, the second, third, and fourth --- by storing the
signatures in a Subversion repository.  We could continue meeting
the first requirement by using the signature-verifying CGI as a doorway;

Specifically, the suggested process is:

* Signatures would be entered into the CGI.
* The CGI would verify them (like today).
* The CGI would then commit them to the backing repository. 
* Notification to dev@/IRC will be handled by standard post-commit hooks.

This addresses all but the 'statistics' criterion (which includes, for
example, reporting how many signatures each tarball currently has and
how are they distributed between Unix/Windows).




View raw message