[ANNOUNCE] libevdev 1.2

Peter Hutterer peter.hutterer at who-t.net
Mon May 5 17:06:38 PDT 2014 

On Tue, May 06, 2014 at 01:15:06AM +0200, Stephen Kitt wrote:
> On Tue, 6 May 2014 00:06:13 +0200, Stephen Kitt <skitt at debian.org> wrote:
> > On Sun, 04 May 2014 11:43:18 +1000, Peter Hutterer
> > <peter.hutterer at who-t.net> wrote:
> > > On 3/05/2014 21:21 , Stephen Kitt wrote:
> > > > On Wed, 30 Apr 2014 15:25:41 +1000, Peter Hutterer
> > > > <peter.hutterer at who-t.net> wrote:
> > > >> http://www.freedesktop.org/software/libevdev/libevdev-1.2.tar.xz
> > > >> MD5:  220b17e015876cc045bddd891ab4fdc3  libevdev-1.2.tar.xz
> > > >> SHA1: 787fc00c1ee023a179b46e57d6b5f7d84403c040  libevdev-1.2.tar.xz
> > > >> SHA256:
> > > >> 4195618067c01d915f67ad3034e89aaa597f5d548dbdd31fa12c569d4bf5a440
> > > >> libevdev-1.2.tar.xz
> > > >
> > > > This, along with your signed announcement, means that the integrity of
> > > > the archives can be checked properly manually; thanks!
> > > >
> > > > Would it also be possible to upload detached signatures to the archive,
> > > > alongside the tarballs? That way the signatures could be checked
> > > > automatically by the Debian infrastructure...
> > > 
> > > We're using the release script from xorg:
> > > http://cgit.freedesktop.org/xorg/util/modular/tree/release.sh
> > > 
> > > Feel free to send me patches to add the format you need. Though I do 
> > > wonder: the tarball isn't available over https so I'm not sure what 
> > > adding a separate file with checksums would add, especially if it's on 
> > > the same server.
> > 
> > OK, I'll look into it.
> > 
> > I wasn't thinking of adding a separate file with checksums, but of adding a
> > detached gnupg signature, which is verifiable with out-of-band information,
> > given that your key is well connected in the WoT. (And while I'm at it,
> > signing the git tag.)
> 
> Something like the following...
> 
> gpg-sign the git tag and the generated tarballs, and upload the signatures
> along with the tarballs.
> 
> Signed-off-by: Stephen Kitt <skitt at debian.org>
> 
> --- release.sh.orig	2014-05-06 01:04:22.652607233 +0200
> +++ release.sh	2014-05-06 01:12:17.114860393 +0200
> @@ -299,6 +299,10 @@
>  	return 1
>      fi
>  
> +    [ -n "$targz" ] && gpg -b $targz && siggz=${targz}.sig || true
> +    [ -n "$tarbz2" ] && gpg -b $tarbz2 && sigbz2=${tarbz2}.sig || true
> +    [ -n "$tarxz" ] && gpg -b $tarxz && sigxz=${tarxz}.sig || true
> +
>      # Obtain the top commit SHA which should be the version bump
>      # It should not have been tagged yet (the script will do it later)
>      local_top_commit_sha=`git  rev-list --max-count=1 HEAD`
> @@ -354,7 +358,7 @@
>      else
>  	# Tag the top commit with the tar name
>  	if [ x"$DRY_RUN" = x ]; then
> -	    git tag -m $tar_name $tar_name
> +	    git tag -s -m $tar_name $tar_name
>  	    if [ $? -ne 0 ]; then
>  		echo "Error:  unable to tag module with \"$tar_name\"."
>  		cd $top_src
> @@ -501,7 +505,7 @@
>      # Upload to host using the 'scp' remote file copy program
>      if [ x"$DRY_RUN" = x ]; then
>  	echo "Info: uploading tarballs to web server:"
> -	scp $targz $tarbz2 $tarxz $USER_NAME$hostname:$srv_path
> +	scp $targz $tarbz2 $tarxz $siggz $sigbz2 $sigxz $USER_NAME$hostname:$srv_path
>  	if [ $? -ne 0 ]; then
>  	    echo "Error: the tarballs uploading failed."
>  	    cd $top_src

can you send this to the xorg-devel list please, that's where the release
script is maintained. We're just (ab)using it for libevdev to avoid having
to write everything again. Thanks.

Cheers,
   Peter

More information about the Input-tools mailing list