* [PATCH 1/2] release: provide clearsigned sha256sum
@ 2019-03-19 10:08 David Bremner
2019-03-19 10:08 ` [PATCH 2/2] release: use xz compression David Bremner
2019-03-23 12:56 ` [PATCH 1/2] release: provide clearsigned sha256sum Daniel Kahn Gillmor
0 siblings, 2 replies; 7+ messages in thread
From: David Bremner @ 2019-03-19 10:08 UTC (permalink / raw)
To: notmuch
To quote id:87ftrpgjdb.fsf@fifthhorseman.net
if the thing verified is the output of sha256sum, then the
*filename* of the tarball itself is included, then the standard
verification step will is sufficient to ensure that you've got the right
version in the filename.
This is in addition to the detached signature on the tarball
---
Makefile.global | 2 +-
Makefile.local | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.global b/Makefile.global
index 6e17494a..27c82433 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
+SHA256_FILE=$(TAR_FILE).sha256.asc
GPG_FILE=$(TAR_FILE).asc
PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 01ba49cc..79595925 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -40,7 +40,7 @@ $(TAR_FILE):
@echo "Source is ready for release in $(TAR_FILE)"
$(SHA256_FILE): $(TAR_FILE)
- sha256sum $^ > $@
+ sha256sum $^ | gpg --armour --clear-sign > $@
$(GPG_FILE): $(TAR_FILE)
gpg --armor --detach-sign $^
--
2.20.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/2] release: use xz compression
2019-03-19 10:08 [PATCH 1/2] release: provide clearsigned sha256sum David Bremner
@ 2019-03-19 10:08 ` David Bremner
2019-03-23 12:59 ` Daniel Kahn Gillmor
2019-03-27 21:02 ` David Bremner
2019-03-23 12:56 ` [PATCH 1/2] release: provide clearsigned sha256sum Daniel Kahn Gillmor
1 sibling, 2 replies; 7+ messages in thread
From: David Bremner @ 2019-03-19 10:08 UTC (permalink / raw)
To: notmuch
This produces tarballs that are roughly 30% smaller.
---
Makefile.global | 4 ++--
Makefile.local | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Makefile.global b/Makefile.global
index 27c82433..e4dbce48 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -40,9 +40,9 @@ DEB_TAG=debian/$(UPSTREAM_TAG)-1
RELEASE_HOST=notmuchmail.org
RELEASE_DIR=/srv/notmuchmail.org/www/releases
RELEASE_URL=https://notmuchmail.org/releases
-TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
+TAR_FILE=$(PACKAGE)-$(VERSION).tar.xz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
-DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
+DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.xz
SHA256_FILE=$(TAR_FILE).sha256.asc
GPG_FILE=$(TAR_FILE).asc
diff --git a/Makefile.local b/Makefile.local
index 79595925..d16245cb 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -36,7 +36,7 @@ $(TAR_FILE):
--transform s_^_$(PACKAGE)-$(VERSION)/_ \
--transform 's_.tmp$$__' --mtime=@$$ct version.tmp
rm version.tmp
- gzip -n < $(TAR_FILE).tmp > $(TAR_FILE)
+ xz -C sha256 -9 < $(TAR_FILE).tmp > $(TAR_FILE)
@echo "Source is ready for release in $(TAR_FILE)"
$(SHA256_FILE): $(TAR_FILE)
--
2.20.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] release: provide clearsigned sha256sum
2019-03-19 10:08 [PATCH 1/2] release: provide clearsigned sha256sum David Bremner
2019-03-19 10:08 ` [PATCH 2/2] release: use xz compression David Bremner
@ 2019-03-23 12:56 ` Daniel Kahn Gillmor
1 sibling, 0 replies; 7+ messages in thread
From: Daniel Kahn Gillmor @ 2019-03-23 12:56 UTC (permalink / raw)
To: David Bremner, notmuch
[-- Attachment #1: Type: text/plain, Size: 607 bytes --]
On Tue 2019-03-19 07:08:18 -0300, David Bremner wrote:
> To quote id:87ftrpgjdb.fsf@fifthhorseman.net
>
> if the thing verified is the output of sha256sum, then the
> *filename* of the tarball itself is included, then the standard
> verification step will is sufficient to ensure that you've got the right
> version in the filename.
>
> This is in addition to the detached signature on the tarball
I think the 3-part series i published starting at
id:20190323123544.6264-1-dkg@fifthhorseman.net supercedes this patch.
thanks for maintaining our release processes, David!
--dkg
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-04-11 10:30 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-19 10:08 [PATCH 1/2] release: provide clearsigned sha256sum David Bremner
2019-03-19 10:08 ` [PATCH 2/2] release: use xz compression David Bremner
2019-03-23 12:59 ` Daniel Kahn Gillmor
2019-04-10 20:28 ` Tomi Ollila
2019-04-11 10:30 ` David Bremner
2019-03-27 21:02 ` David Bremner
2019-03-23 12:56 ` [PATCH 1/2] release: provide clearsigned sha256sum Daniel Kahn Gillmor
Code repositories for project(s) associated with this public inbox
https://yhetil.org/notmuch.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).