On Wed, Jun 24, 2015 at 8:13 PM, Anatol Belski <anatol....@belski.net> wrote:
> Hi Hannes, > > The change sounds reasonable. > > I would like just to ask you for the future - please discuss before adding > a change to the release process. It were probably also good to hear from > the other RMs doing the job for longer whether they agree with this. > Ferenc, Julien, Stas - is such a change ok with you? > > With the .asc, do you mean the exported public key? Like > > gpg -ao _something_-public.key --export key_id > hi, we are already signing the release tarballs, the signature is created via gpg -u YOUREMAIL --armor --detach-sign php-X.Y.Z.tar.xxx as mentioned in the README.RELEASE_PROCESS: http://git.php.net/?p=php-src.git;a=blob;f=README.RELEASE_PROCESS;h=5d8ad1abfe81d4543b4107afe1476b57fb8a2178;hb=refs/heads/master#l178 Hannes change was about having both checksums (personally I think that having the sha256 should be enough, no reason for the md5) and the signatures included/attached in the announcement mails so we have another distinct source of information which our users can use to crosscheck/verify the downloads. -- Ferenc Kovács @Tyr43l - http://tyrael.hu