On Sat, Aug 11, 2012 at 11:57 AM, Daniel Shahaf <d...@daniel.shahaf.name> wrote: > The idea is that a hypothetical malicious release manager could create > tar.gz and tar.bz2 correctly but a malicious .zip file. > > We could write a release.py subcommand that compares the > tar.gz/tar.bz2/zip to each other (and to the tag in svn.a.o). Then > people can run > > release.py intercompare-tarballs && release.py sign-tarballs
+1 I'd encourage that anyone who uses something like this should review the code before using it to determine that the release packaging matches.
