[Mesa-dev] [RFC] Mesa 9.2 and release process changes
Dave Airlie
airlied at gmail.com
Tue Jul 2 14:49:21 PDT 2013
On Wed, Jul 3, 2013 at 7:37 AM, Matt Turner <mattst88 at gmail.com> wrote:
> On Tue, Jul 2, 2013 at 1:02 PM, Ian Romanick <idr at freedesktop.org> wrote:
>> 2. Instead of just posting md5sum for the release tarballs, I think we
>> should start GPG signing them. I'm not sure what sort of process we want to
>> establish for this. Should they just be signed by the release managers key?
>> Is this easier than I think it is?
>
> GPG sign the git tag (git tag -s) and the announce email which
> contains the md5/sha sums. That's how X.Org releases are done.
There should be a reason for doing 2, btw just stating I'd like to do
this doesn't give us any advantages over what we have now. Whats the
point, stopping hackers? etc.
The X.org md5/sha email was put in place to allow us to rebuild the
archive if it ever got wiped again (which happened in the past), so we
have a list of tarballs we've released and their signatures. People
can also use it to verify tarballs.
GPG signing tags is now being used sometimes in the kernel world,
though really unless a developer has a gpg key that is trusted by
other devs, and hence has met up with other devs to ensure that, gpg
signing isn't gaining much.
Dave.
More information about the mesa-dev
mailing list