[erlang-questions] Missing checksums for github.com/erlang/otp/releases

Gerhard Lazu gerhard@REDACTED
Fri Jan 11 15:29:24 CET 2019


I've noticed that the bundle-otp script in github.com/erlang/otp is used
when minor releases are produced, such as 21.2. I've also noticed that this
script is responsible for creating the bundle.txt which contains the HEAD
git sha at the time of bundling.

Lukas, I can see that you have released 21.2, as well as 21.1. Would you be
willing to sign OTP releases and upload the signature when creating a
release on GitHub? On team RabbitMQ, this is an automated process for all
public artefacts, I would be happy to help. We can use TravisCI and adapt
bundle-otp for all releases, not only minor ones, as well as add GPG
signing. What do you think?

Thank you, Gerhard.

On Wed, Jan 9, 2019 at 5:08 PM Gerhard Lazu <gerhard@REDACTED> wrote:

> I think it would be great to have checksums publicly available when a new
> Erlang/OTP patch is tagged on GitHub. Something as simple as this will do:
>
> sha256sum OTP-21.2.2.tar.gz > OTP-21.2.2.tar.gz.sha256
> curl --request POST --data-binary "@OTP-21.2.2.tar.gz.sha256" --header
> "Content-Type: text/plain"
> https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256
>
> Is this something that others are missing? If not, how do you answer "*I
> know that this Erlang/OTP build is legit*" in your production
> environments?
>
> Thank you, Gerhard.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190111/72d1ee1b/attachment.htm>


More information about the erlang-questions mailing list