subversion-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan <luke1...@posteo.de>
Subject Re: svn commit: r1838746 - /subversion/site/staging/download.html
Date Sat, 25 Aug 2018 12:44:20 GMT
On 25/08/2018 14:37, Stefan wrote:
> On 23/08/2018 20:01, sebb@apache.org wrote:
>> Author: sebb
>> Date: Thu Aug 23 18:01:30 2018
>> New Revision: 1838746
>>
>> URL: http://svn.apache.org/viewvc?rev=1838746&view=rev
>> Log:
>> SVN-4736 - fix gpg command
>>
>> Modified:
>>     subversion/site/staging/download.html
>>
>> Modified: subversion/site/staging/download.html
>> URL: http://svn.apache.org/viewvc/subversion/site/staging/download.html?rev=1838746&r1=1838745&r2=1838746&view=diff
>> ==============================================================================
>> --- subversion/site/staging/download.html (original)
>> +++ subversion/site/staging/download.html Thu Aug 23 18:01:30 2018
>> @@ -253,7 +253,7 @@ Other mirrors:
>>  <em>or</em><br /> 
>>  <code> 
>>  % gpg --import subversion.asc<br /> 
>> -% gpg --verify subversion-[version].tar.gz.asc
>> +% gpg --verify subversion-[version].tar.gz.asc subversion-[version].tar.gz
> Testing GPG locally (2.2.8 - Windows 10 - bundled version with Gpg4Win
> 3.1.2) running the command w/o specifying the filename of the gz archive
> works fine:
> "gpg: assuming signed data in 'subversion-1.10.2.tar.bz2' [...]"
>
> Is this command problematic with older GPG versions? If not, why not
> keep the command as short as possible and rely on the default resolution
> of the archive name?
Just saw the referenced SVN issue with the link which gives the missing
rational for that change. Thanks for that (should have spotted it before
replying). For the record:
"If the release file is omitted, GPG will only check the signature
against the release file if the signature is a detached signature. If
the .asc file is a self-contained signed file, GPG will only check that,
and will not verify the release. (This should not happen if the
signature file was downloaded from an ASF server, but it is safer to
always specify the release filename)" [1]

That said, +1 on that change. Feel free to merge it to publish.

[1] https://www.apache.org/info/verification.html#CheckingSignatures
>>  </code></p>
>>  
>>  <p>Alternatively, you can verify the checksums on the
>>
>
Regards,
Stefan


Mime
View raw message