<div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jan 11, 2019 at 3:30 PM Gerhard Lazu <<a href="mailto:gerhard@lazu.co.uk">gerhard@lazu.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">I've noticed that the bundle-otp script in <a href="http://github.com/erlang/otp" target="_blank">github.com/erlang/otp</a> is used when minor releases are produced, such as 21.2. I've also noticed that this script is responsible for creating the bundle.txt which contains the HEAD git sha at the time of bundling.<br></div><div dir="ltr"><br></div><div dir="ltr">Lukas, I can see that you have released 21.2, as well as 21.1. Would you be willing to sign OTP releases and upload the signature when creating a release on GitHub? On team RabbitMQ, this is an automated process for all public artefacts, I would be happy to help. We can use TravisCI and adapt bundle-otp for all releases, not only minor ones, as well as add GPG signing. What do you think?</div></div></blockquote><div><br></div><div>The bundling script is already done by travis, it just happens to be my user that is used to authenticate with github when updating the artifacts. <a href="https://github.com/erlang/otp/blob/master/.travis.yml#L92-L111">https://github.com/erlang/otp/blob/master/.travis.yml#L92-L111</a></div><div><br></div><div>The bundler was mainly something I did because Ericsson needed it, but if it can be extended to be usefull to the open source community as well that would be great :)</div><div><br></div><div>Keep in mind though that one of the things that bundle-otp does it associate a corba version with an Erlang/OTP version. This is only possible to automate for major and minor release, not for patches. So the otp-bundle.tar.gz should not be created for patches, but any GPG signing etc could be done for all tags.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><div>Thank you, Gerhard.</div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Jan 9, 2019 at 5:08 PM Gerhard Lazu <<a href="mailto:gerhard@lazu.co.uk" target="_blank">gerhard@lazu.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">I think it would be great to have checksums publicly available when a new Erlang/OTP patch is tagged on GitHub. Something as simple as this will do:<div><br></div><font face="monospace, monospace" style="background-color:rgb(255,242,204)">sha256sum OTP-21.2.2.tar.gz > OTP-21.2.2.tar.gz.sha256<br>curl --request POST --data-binary "@OTP-21.2.2.tar.gz.sha256" --header "Content-Type: text/plain" <a href="https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256" target="_blank">https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256</a></font></div><div dir="ltr"><div><div><br></div><div>Is this something that others are missing? If not, how do you answer "<i>I know that this Erlang/OTP build is legit</i>" in your production environments?</div></div><div><br></div><div>Thank you, Gerhard.</div></div></div></div></div></div></div>
</blockquote></div>
_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" rel="noreferrer" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
</blockquote></div></div></div>