On Mon, 21 May 2018 15:31:49 +0800, "吴晟 Sheng Wu" <wu.sh...@foxmail.com> wrote: > I understand in next time, we should add svn revision number. And do > you suggest we should add checksum in the mail?
Yes, checksums in the vote email can be good as they are easy to cross-check, say if there is an RC2 vote followed by RC1, a PMC member who accidentally tests the old one again would not get the right checksum. Another reason is archival - a checksum sent to the email list, while unencrypted it is archived in multiple distributed archives and so becomes a permanent record about the versioned archive the PMC (eventually) publish and easy for anyone (say a Debian maintainer) to check/hardcode independent of the more origin-centric GPG signature. This would also make it easier to detect a 'rogue committer' (or more likely a wrong command line) that publish something that was not voted on. In the end the checksum files on the https://www.apache.org/dist/ should then match a vote email. (AFAIK, nobody has attempted to automate such a check :) You have done well switching to secure sha512, but unlike say md5 and sha1 these are unfortunately not so email-friendly due to long lines, so if you want to try with sha512, sha512224, or fall back to sha1 for votes.. I don't know what would be easiest for your project. So I would let that be up to the SkyWalking community to decide, but IMHO at least one of either either svn revision or checksum should be in the email so it's clear what is being voted on. :) -- Stian Soiland-Reyes The University of Manchester https://www.esciencelab.org.uk/ https://orcid.org/0000-0001-9842-9718 --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
