On Wed, Jun 24, 2015 at 8:13 PM, Anatol Belski <anatol....@belski.net>
wrote:

> Hi Hannes,
>
> The change sounds reasonable.
>
> I would like just to ask you for the future - please discuss before adding
> a change to the release process. It were probably also good to hear from
> the other RMs doing the job for longer whether they agree with this.
> Ferenc, Julien, Stas - is such a change ok with you?
>
> With the .asc, do you mean the exported public key? Like
>
> gpg -ao _something_-public.key --export key_id
>


hi,

we are already signing the release tarballs, the signature is created via
gpg -u YOUREMAIL --armor --detach-sign php-X.Y.Z.tar.xxx
as mentioned in the README.RELEASE_PROCESS:
http://git.php.net/?p=php-src.git;a=blob;f=README.RELEASE_PROCESS;h=5d8ad1abfe81d4543b4107afe1476b57fb8a2178;hb=refs/heads/master#l178

Hannes change was about having both checksums (personally I think that
having the sha256 should be enough, no reason for the md5) and the
signatures included/attached in the announcement mails so we have another
distinct source of information which our users can use to crosscheck/verify
the downloads.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Reply via email to