On Wed, Jun 24, 2015 at 9:19 PM, Ferenc Kovacs <tyr...@gmail.com> wrote:
> > > On Wed, Jun 24, 2015 at 8:13 PM, Anatol Belski <anatol....@belski.net> > wrote: > >> Hi Hannes, >> >> The change sounds reasonable. >> >> I would like just to ask you for the future - please discuss before >> adding a change to the release process. It were probably also good to hear >> from the other RMs doing the job for longer whether they agree with this. >> Ferenc, Julien, Stas - is such a change ok with you? >> >> With the .asc, do you mean the exported public key? Like >> >> gpg -ao _something_-public.key --export key_id >> > > > hi, > > we are already signing the release tarballs, the signature is created via > gpg -u YOUREMAIL --armor --detach-sign php-X.Y.Z.tar.xxx > as mentioned in the README.RELEASE_PROCESS: > > http://git.php.net/?p=php-src.git;a=blob;f=README.RELEASE_PROCESS;h=5d8ad1abfe81d4543b4107afe1476b57fb8a2178;hb=refs/heads/master#l178 > > Hannes change was about having both checksums (personally I think that > having the sha256 should be enough, no reason for the md5) and the > signatures included/attached in the announcement mails so we have another > distinct source of information which our users can use to crosscheck/verify > the downloads. > Sounds good to me, thanks for the ping. Julien Pauli
