Re: [FFmpeg-devel] [PATCH] web/download: Extend the verification procedure to check for difference between git and release tarball

Sat, 30 Mar 2024 10:32:05 -0700 

On 3/30/2024 2:30 PM, Michael Niedermayer wrote:

On Sat, Mar 30, 2024 at 11:51:17AM -0300, James Almer wrote:

On 3/30/2024 11:02 AM, Michael Niedermayer wrote:

Iam not 100% sure this is the best place to put this. But we should somewhere
describe what differences are expected

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
   src/download | 34 ++++++++++++++++++++++++++++++++++
   1 file changed, 34 insertions(+)

diff --git a/src/download b/src/download
index 0e6fa7e..34733de 100644
--- a/src/download
+++ b/src/download
@@ -284,6 +284,40 @@ gpg:                using RSA key 
FCF986EA15E6E293A5644F10B4322F04D67658D8
   gpg:                issuer "ffmpeg-devel@ffmpeg.org"
   gpg: Good signature from "FFmpeg release signing key 
&lt;ffmpeg-devel@ffmpeg.org&gt;" [full]</pre>
         </li>
+      <li>
+        Verify that the release tarball matches the git tag: (expected 
differences are missing .git, .gitignore and .gitattributes and an additional 
VERSION file)
+        <pre>
+        $ diff -ru ffmpeg-5.1.4 gitdir2
+Only in gitdir2/doc/doxy: .gitignore
+Only in gitdir2/doc/examples: .gitignore
+Only in gitdir2/doc: .gitignore
+Only in gitdir2/ffbuild: .gitignore
+Only in gitdir2: .git
+Only in gitdir2: .gitattributes
+Only in gitdir2: .gitignore
+Only in gitdir2/libavcodec: .gitignore
+Only in gitdir2/libavcodec/tests: .gitignore
+Only in gitdir2/libavdevice: .gitignore
+Only in gitdir2/libavdevice/tests: .gitignore
+Only in gitdir2/libavfilter: .gitignore
+Only in gitdir2/libavfilter/opencl: .gitignore
+Only in gitdir2/libavfilter/tests: .gitignore
+Only in gitdir2/libavformat: .gitignore
+Only in gitdir2/libavformat/tests: .gitignore
+Only in gitdir2/libavutil: .gitignore
+Only in gitdir2/libavutil/tests: .gitignore
+Only in gitdir2/libswresample/tests: .gitignore
+Only in gitdir2/libswscale/tests: .gitignore
+Only in gitdir2/tests/api: .gitignore
+Only in gitdir2/tests/checkasm: .gitignore
+Only in gitdir2/tests: .gitignore
+Only in gitdir2/tools: .gitignore
+Only in ffmpeg-5.1.4: VERSION
+        </pre>
+      </li>
+      <li>
+        Verify that the tag in git is signed


The tags are signed with your key made for this purpose,
DD1EC9E8DE085C629B3E1846B18E8928B3948D64, and not with the tarball one
listed above. You should include it here the same way, unless the signature


yes but before doing that, do you think this is the best place to put all this?
Sure, why would it not? It's the section where we explain how to verify releases. 
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to