[Mesa-dev] [RFC] Mesa 9.2 and release process changes
Kurt Roeckx
kurt at roeckx.be
Mon Jul 8 13:29:19 PDT 2013
On Tue, Jul 02, 2013 at 02:37:54PM -0700, Matt Turner wrote:
> On Tue, Jul 2, 2013 at 1:02 PM, Ian Romanick <idr at freedesktop.org> wrote:
> > 2. Instead of just posting md5sum for the release tarballs, I think we
> > should start GPG signing them. I'm not sure what sort of process we want to
> > establish for this. Should they just be signed by the release managers key?
> > Is this easier than I think it is?
>
> GPG sign the git tag (git tag -s) and the announce email which
> contains the md5/sha sums. That's how X.Org releases are done.
I think best practice is:
- Sign the released tarball, and distribute that with the tarball.
- Distribute SHA1/SHA256 checksums together with the tarball.
- In the release announcement include the checksums
- Send a signed release announcement
- Sign the release in git
Please move away from MD5. It's not useful at all to check that
it's the real tarball or not.
It's helpful if the signature is done by someone that has a good
connection to the web of trust, but it's not really a requirement.
You could also consider creating a role key for that and have the
people that have access to it sign it, but I don't really
recommend it.
The idea of having the checksums in the release announcement is
that those mails ussually end up in several places, and it's
unlikely that they all get compromised. The signature is so that
at least some people can very if and complain if it's not what
they see.
Kurt
More information about the mesa-dev
mailing list