[ANNOUNCE] libevdev 1.2

Mon May 5 15:43:15 PDT 2014

On Tue, May 06, 2014 at 12:06:13AM +0200, Stephen Kitt wrote:
> On Sun, 04 May 2014 11:43:18 +1000, Peter Hutterer <peter.hutterer at who-t.net>
> wrote:
> > On 3/05/2014 21:21 , Stephen Kitt wrote:
> > > On Wed, 30 Apr 2014 15:25:41 +1000, Peter Hutterer
> > > <peter.hutterer at who-t.net> wrote:
> > >> http://www.freedesktop.org/software/libevdev/libevdev-1.2.tar.xz
> > >> MD5:  220b17e015876cc045bddd891ab4fdc3  libevdev-1.2.tar.xz
> > >> SHA1: 787fc00c1ee023a179b46e57d6b5f7d84403c040  libevdev-1.2.tar.xz
> > >> SHA256: 4195618067c01d915f67ad3034e89aaa597f5d548dbdd31fa12c569d4bf5a440
> > >> libevdev-1.2.tar.xz
> > >
> > > This, along with your signed announcement, means that the integrity of the
> > > archives can be checked properly manually; thanks!
> > >
> > > Would it also be possible to upload detached signatures to the archive,
> > > alongside the tarballs? That way the signatures could be checked
> > > automatically by the Debian infrastructure...
> > 
> > We're using the release script from xorg:
> > http://cgit.freedesktop.org/xorg/util/modular/tree/release.sh
> > 
> > Feel free to send me patches to add the format you need. Though I do 
> > wonder: the tarball isn't available over https so I'm not sure what 
> > adding a separate file with checksums would add, especially if it's on 
> > the same server.
> 
> OK, I'll look into it.
> 
> I wasn't thinking of adding a separate file with checksums, but of adding a
> detached gnupg signature, which is verifiable with out-of-band information,
> given that your key is well connected in the WoT. (And while I'm at it,
> signing the git tag.)

huh, weird. I use the same script to tag modules and it signs off
automatically. for some reason it didn't do it for libevdev 1.2, sorry about
that. 

my bash history doesn't show me tagging it so it must've been done by the
release.sh script. Might be worth adding -s to the tag command in that
script then

Cheers,
   Peter