+1 (binding)

Following up on my earlier note about the double-extension files: I finished
checking the regular artifacts and they are all good, so this is not blocking
my +1. What I verified:

- SHA512: all 59 artifacts (29 wheels + 29 sdists + the source tarball) OK
- GPG signatures: all 59 good, signed with your key
  (1E7A857875E0EE49DB99E4431B17D6C5938CED00, present in KEYS)
- Reproducible build: rebuilt all 29 wheels + 29 sdists and the source tarball
  from tag providers/2026-07-06 (commit d19a68a152) - all 59 byte-for-byte
  identical to what is in SVN
- License: apache-rat clean on the source tarball

One thing to clean up before promoting dev -> release (not blocking the vote):
the SVN folder still has the ~236 stray double-extension files I mentioned
(*.asc.asc, *.asc.sha512, *.sha512.asc, *.sha512.sha512) - the sign/checksum
step ran over the .asc/.sha512 files themselves. They should be removed so they
don't end up in the release area.

Thanks for running the release, Vincent!

J.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to