I'm checking Cordova JS. The process gets extremely predictable once we get into everyone using Coho.
On Tue, Feb 25, 2014 at 1:47 PM, Michal Mocny <[email protected]> wrote: > Some tips, since I found this a pain to figure out. To verify the sha file > matches: > >> gpg --print-md SHA512 *.zip | diff - *.sha && echo "Exact match" >> gpg --print-md MD5 *.zip | diff - *.md5 && echo "Exact match" > > Oddly the output of gpg is different than that of sha512sum and md5sum so > you cannot use those commands to --check the sums, ugh. (We should > consider changing the way we generate those files, no?). > > I'm still trying to figure out how to make sure the zip is signed > correctly, but am having issues setting up my KEYS. > > All-in-all I don't think this is that useful of a process to do, since to > be really confident you would have to create the full release zip from > scratch from source control yourself and compare *that* to the hosted zip > to make sure we releasing what you think we are (as is we are just > verifying the download isn't corrupt). But I wanted to go through the > process. > > > > On Tue, Feb 25, 2014 at 3:33 PM, Lorin Beer <[email protected]>wrote: > >> I've just submitted my +1 for a number of the past releases, and thought >> I'd document here what the steps I took were. >> >> Since these are past releases, some of which I helped tag and have already >> run, the checklist is slightly simplified: >> >> - download package >> - sanity check package for expected release artifacts >> - tags are correct >> - commit hash matches the source >> >> >> On Tue, Feb 25, 2014 at 11:35 AM, Steven Gill <[email protected] >> >wrote: >> >> > It has been brought to our attention that some of our previous releases >> > were not voted on in accordance with the ASF by-laws. After some >> > discussion, we've decided to call a retroactive vote on these releases. A >> > vote is being conducted by the PMC and the results will be posted here >> when >> > complete. >> > >>
