On Thu, Oct 09, 2014 at 08:16:29PM +0000, Phil Pennock wrote: > Folks, > > Given a clean repository checkout, what is needed to be able to create > the release tarballs for verification please? Hello Peter, How do you feel about providing GPG signatures for the tarballs and the git tags? This would fix this issue and make it possible for everybody to verify zsh's releases. For example Debian has tools to automatically verify the upstream tarball after the download if upstream provides signatures. This allows maintainers to be sure they downloaded the correct tarball. If you like I could prepare a patch for the Makefile to sign the resulting tarballs, so a "make sign" is the only required action. For Git it's even easier, instead of git tag $tag, you can just use git tag -s -m 'optional message' $tag and it will be signed. I'm already using signed tags for the website. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
Attachment:
signature.asc
Description: Digital signature