On Sun, Aug 12, 2012 at 8:03 PM, Ben Reser <b...@reser.org> wrote: > On Sun, Aug 12, 2012 at 8:22 AM, Daniel Shahaf <d...@daniel.shahaf.name> > wrote: >> No. It makes them worse. >> >> Unless of course you expanded the tar and diff'd it --ignore-eol-style >> against the zip you had built, in which case it does make them better. > > Maybe I'm being obtuse but isn't everyone signing checking the code > against the branch (for every file they're signing)? That should be > the absolute minimum anyone is doing before signing.
Well, I don't actually. But then again, I'm not stating that when I give my +1. The community guide says [1]: [[[ Signing a tarball means that you assert certain things about it. When announcing your signature, indicate in the mail what steps you've taken to verify that the tarball is correct, such as verifying the contents against the proper tag in the repository. Running make check over all RA layers and FS backends is also a good idea, as well as building and testing the bindings. ]]] So IIUC the most important thing is that you indicate explicitly what you've done. In my case: testing several RA layers, and checking the checksum and signatures. [1] http://subversion.apache.org/docs/community-guide/releasing.html#tarball-signing -- Johan
