[PATCH 1/2] release: provide clearsigned sha256sum

[PATCH 1/2] release: provide clearsigned sha256sum

[David Bremner]

To quote id:87ftrpgjdb.fsf@fifthhorseman.net

     if the thing verified is the output of sha256sum, then the
     *filename* of the tarball itself is included, then the standard
     verification step will is sufficient to ensure that you've got the right
     version in the filename.

This is in addition to the detached signature on the tarball
---
 Makefile.global | 2 +-
 Makefile.local  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile.global b/Makefile.global
index 6e17494a..27c82433 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
 TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
+SHA256_FILE=$(TAR_FILE).sha256.asc
 GPG_FILE=$(TAR_FILE).asc
 
 PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 01ba49cc..79595925 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -40,7 +40,7 @@ $(TAR_FILE):
 	@echo "Source is ready for release in $(TAR_FILE)"
 
 $(SHA256_FILE): $(TAR_FILE)
-	sha256sum $^ > $@
+	sha256sum $^ | gpg --armour --clear-sign > $@
 
 $(GPG_FILE): $(TAR_FILE)
 	gpg --armor --detach-sign $^
-- 
2.20.1

[PATCH 2/2] release: use xz compression

[David Bremner]

This produces tarballs that are roughly 30% smaller.
---
 Makefile.global | 4 ++--
 Makefile.local  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Makefile.global b/Makefile.global
index 27c82433..e4dbce48 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -40,9 +40,9 @@ DEB_TAG=debian/$(UPSTREAM_TAG)-1
 RELEASE_HOST=notmuchmail.org
 RELEASE_DIR=/srv/notmuchmail.org/www/releases
 RELEASE_URL=https://notmuchmail.org/releases
-TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
+TAR_FILE=$(PACKAGE)-$(VERSION).tar.xz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
-DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
+DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.xz
 SHA256_FILE=$(TAR_FILE).sha256.asc
 GPG_FILE=$(TAR_FILE).asc
 
diff --git a/Makefile.local b/Makefile.local
index 79595925..d16245cb 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -36,7 +36,7 @@ $(TAR_FILE):
 		--transform s_^_$(PACKAGE)-$(VERSION)/_  \
 		--transform 's_.tmp$$__' --mtime=@$$ct version.tmp
 	rm version.tmp
-	gzip -n < $(TAR_FILE).tmp > $(TAR_FILE)
+	xz -C sha256 -9 < $(TAR_FILE).tmp > $(TAR_FILE)
 	@echo "Source is ready for release in $(TAR_FILE)"
 
 $(SHA256_FILE): $(TAR_FILE)
-- 
2.20.1

Re: [PATCH 2/2] release: use xz compression

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 340 bytes --]

On Tue 2019-03-19 07:08:19 -0300, David Bremner wrote:
> This produces tarballs that are roughly 30% smaller.

LGTM.  I can confirm that i'm seeing tarball sizes go from 924543 bytes
(or 917179 bytes with gzip -9) to 644892 bytes with this xz approach.

I think the ecosystem that notmuch targets *can* handle .xz these days,
too.

  --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 2/2] release: use xz compression

[Tomi Ollila]

On Sat, Mar 23 2019, Daniel Kahn Gillmor wrote:

> On Tue 2019-03-19 07:08:19 -0300, David Bremner wrote:
>> This produces tarballs that are roughly 30% smaller.
>
> LGTM.  I can confirm that i'm seeing tarball sizes go from 924543 bytes
> (or 917179 bytes with gzip -9) to 644892 bytes with this xz approach.
>
> I think the ecosystem that notmuch targets *can* handle .xz these days,
> too.

Most probably!

Something related: any wisdom here:

https://www.nongnu.org/lzip/xz_inadequate.html

?

>   --dkg

Tomi

Re: [PATCH 2/2] release: use xz compression

[David Bremner]

Tomi Ollila <tomi.ollila@iki.fi> writes:

>
> Something related: any wisdom here:
>
> https://www.nongnu.org/lzip/xz_inadequate.html
>

I guess for me it lacks some kind of "peer review". As the author notes,
he has his own biases being the creator/author of a competing solution.
I'm not aware of any more "arms length" discussion of the issues
involved.

d

Re: [PATCH 2/2] release: use xz compression

[David Bremner]

David Bremner <david@tethera.net> writes:

> This produces tarballs that are roughly 30% smaller.

pushed to master. People building snapshots may need to adjust their
machinery.

d

Re: [PATCH 1/2] release: provide clearsigned sha256sum

[Daniel Kahn Gillmor]

[-- Attachment #1: Type: text/plain, Size: 607 bytes --]

On Tue 2019-03-19 07:08:18 -0300, David Bremner wrote:
> To quote id:87ftrpgjdb.fsf@fifthhorseman.net
>
>      if the thing verified is the output of sha256sum, then the
>      *filename* of the tarball itself is included, then the standard
>      verification step will is sufficient to ensure that you've got the right
>      version in the filename.
>
> This is in addition to the detached signature on the tarball

I think the 3-part series i published starting at
id:20190323123544.6264-1-dkg@fifthhorseman.net supercedes this patch.

thanks for maintaining our release processes, David!

       --dkg

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]