[ Summary: collect signatures for releases via a CGI that verifies signatures and commits them to a Subversion repository. ]
We now have a CGI script[1] that collects the signatures for release, verifies them, and assembles them into *.asc files. That automates some work that previously fell upon the release manager. Several features were suggested for the CGI: * verify signatures as they are being collected [this was present in the CGI from day one] * allow anyone (not just the RM) to retrieve collected signatures [this was implemented last week] * notify dev@ upon new signatures * notify IRC upon new signatures * display statistics about the collected signatures It seems to me that we could meet most of these requirements --- specifically, the second, third, and fourth --- by storing the signatures in a Subversion repository. We could continue meeting the first requirement by using the signature-verifying CGI as a doorway; Specifically, the suggested process is: * Signatures would be entered into the CGI. * The CGI would verify them (like today). * The CGI would then commit them to the backing repository. * Notification to dev@/IRC will be handled by standard post-commit hooks. This addresses all but the 'statistics' criterion (which includes, for example, reporting how many signatures each tarball currently has and how are they distributed between Unix/Windows). Thoughts? Daniel [1] http://work.hyrumwright.org/pub/svn/collect_sigs.py http://svn.apache.org/repos/asf/subversion/trunk/tools/dist/collect_sigs.py
