+1 (binding) Following up on my earlier note about the double-extension files: I finished checking the regular artifacts and they are all good, so this is not blocking my +1. What I verified:
- SHA512: all 59 artifacts (29 wheels + 29 sdists + the source tarball) OK - GPG signatures: all 59 good, signed with your key (1E7A857875E0EE49DB99E4431B17D6C5938CED00, present in KEYS) - Reproducible build: rebuilt all 29 wheels + 29 sdists and the source tarball from tag providers/2026-07-06 (commit d19a68a152) - all 59 byte-for-byte identical to what is in SVN - License: apache-rat clean on the source tarball One thing to clean up before promoting dev -> release (not blocking the vote): the SVN folder still has the ~236 stray double-extension files I mentioned (*.asc.asc, *.asc.sha512, *.sha512.asc, *.sha512.sha512) - the sign/checksum step ran over the .asc/.sha512 files themselves. They should be removed so they don't end up in the release area. Thanks for running the release, Vincent! J. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
