You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Daniel Shahaf <d....@daniel.shahaf.name> on 2010/12/03 22:51:12 UTC

collecting signatures for releases: thoughts on collect_sigs.py@{2011-12-04}

[ Summary: collect signatures for releases via a CGI that verifies
signatures and commits them to a Subversion repository. ]


We now have a CGI script[1] that collects the signatures for release,
verifies them, and assembles them into *.asc files.  That automates
some work that previously fell upon the release manager.

Several features were suggested for the CGI:

* verify signatures as they are being collected [this was present in the CGI from day one]
* allow anyone (not just the RM) to retrieve collected signatures [this was implemented last week]
* notify dev@ upon new signatures
* notify IRC upon new signatures
* display statistics about the collected signatures

It seems to me that we could meet most of these requirements ---
specifically, the second, third, and fourth --- by storing the
signatures in a Subversion repository.  We could continue meeting
the first requirement by using the signature-verifying CGI as a doorway;

Specifically, the suggested process is:

* Signatures would be entered into the CGI.
* The CGI would verify them (like today).
* The CGI would then commit them to the backing repository. 
* Notification to dev@/IRC will be handled by standard post-commit hooks.

This addresses all but the 'statistics' criterion (which includes, for
example, reporting how many signatures each tarball currently has and
how are they distributed between Unix/Windows).

Thoughts?

Daniel


[1] http://work.hyrumwright.org/pub/svn/collect_sigs.py
    http://svn.apache.org/repos/asf/subversion/trunk/tools/dist/collect_sigs.py

What repository to use? Re: collecting signatures for releases: thoughts on collect_sigs.py@{2011-12-04}

Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Daniel Shahaf wrote on Sat, Dec 04, 2010 at 00:51:12 +0200:
> the backing repository [where *.asc files are maintained prior to blessing the release]

For 1.6 we can use the subversion.tigris.org repository (to which
blessed tarballs are eventually committed).  It's not configured
for CIA though.

For 1.7+ we can could use either https://dist.apache.org/repos/dist/dev/
or a subtree of https://svn.apache.org/repos/asf/subversion/.  Both of
them are (or can be) tied to CIA and mailer hooks.

According to pquerna, the 'dev' area of the dist/ repository is an
appropriate place to collect votes for not-yet-blessed releases.  The
dist/ repository is also tied to the ASF's mirroring system via
svnpubsub: the master distribution directories are svnpubsub slaves of
that repository.