Mark Phippard wrote on Sat, Aug 11, 2012 at 18:06:18 -0400: > On Sat, Aug 11, 2012 at 2:57 PM, Daniel Shahaf <d...@daniel.shahaf.name> > wrote: > > Mark Phippard wrote on Fri, Aug 10, 2012 at 09:30:01 -0400: > >> On Fri, Aug 10, 2012 at 9:06 AM, Philip Martin > >> <philip.mar...@wandisco.com> wrote: > >> > Justin Erenkrantz <jus...@erenkrantz.com> writes: > >> > > >> >> On Wed, Aug 8, 2012 at 1:40 PM, Philip Martin > >> >> <philip.mar...@wandisco.com> wrote: > >> >>> Subversion 1.7.6 tarballs are now available for testing/signing by > >> >>> committers. To obtain them please check out a working copy from > >> >>> https://dist.apache.org/repos/dist/dev/subversion > >> >> > >> >> +1 for release. > >> >> > >> >> Tested on Mac OS X 10.7.4. > >> >> > >> >> All tests pass (even the one that C-Mike pointed out failed for him). > >> >> > >> >> BTW, I used the release.py script...which signed all of the release > >> >> files. *shrug* > >> > > >> > You didn't have to commit all the files! You can also sign the files > >> > manually without using release.py. > >> > > >> > I signed all the files as release manager but while I looked at the zip > >> > file I didn't build/test it. When signing releases in the past I signed > >> > only the files I tested. I suppose we should extend release.py to > >> > support signing a subset. > >> > >> I have sometimes wondered why we do not all sign all of the files. > > > > The idea is that a hypothetical malicious release manager could create > > tar.gz and tar.bz2 correctly but a malicious .zip file. > > But if we still require three +1's from Windows testers and three from > Unix testers does that not take care of it? Paul and I tested and > signed the Windows zip file. Doesn't it make the signatures of the > Unix tar's "better" if we also signed those? Likewise, if C-Mike,
No. It makes them worse. Unless of course you expanded the tar and diff'd it --ignore-eol-style against the zip you had built, in which case it does make them better. > Philip and Justin signed the Windows zip files it seems like that > would also be "better". > > They would not be giving a binding Windows +1, just adding their > signatures to the files.
