[erlang-questions] Missing checksums for github.com/erlang/otp/releases

Lukas Larsson lukas@REDACTED
Fri Jan 11 15:46:19 CET 2019

On Fri, Jan 11, 2019 at 3:30 PM Gerhard Lazu <gerhard@REDACTED> wrote:

> I've noticed that the bundle-otp script in github.com/erlang/otp is used
> when minor releases are produced, such as 21.2. I've also noticed that this
> script is responsible for creating the bundle.txt which contains the HEAD
> git sha at the time of bundling.
> Lukas, I can see that you have released 21.2, as well as 21.1. Would you
> be willing to sign OTP releases and upload the signature when creating a
> release on GitHub? On team RabbitMQ, this is an automated process for all
> public artefacts, I would be happy to help. We can use TravisCI and adapt
> bundle-otp for all releases, not only minor ones, as well as add GPG
> signing. What do you think?

The bundling script is already done by travis, it just happens to be my
user that is used to authenticate with github when updating the artifacts.

The bundler was mainly something I did because Ericsson needed it, but if
it can be extended to be usefull to the open source community as well that
would be great :)

Keep in mind though that one of the things that bundle-otp does it
associate a corba version with an Erlang/OTP version. This is only possible
to automate for major and minor release, not for patches. So the
otp-bundle.tar.gz should not be created for patches, but any GPG signing
etc could be done for all tags.

> Thank you, Gerhard.
> On Wed, Jan 9, 2019 at 5:08 PM Gerhard Lazu <gerhard@REDACTED> wrote:
>> I think it would be great to have checksums publicly available when a new
>> Erlang/OTP patch is tagged on GitHub. Something as simple as this will do:
>> sha256sum OTP-21.2.2.tar.gz > OTP-21.2.2.tar.gz.sha256
>> curl --request POST --data-binary "@OTP-21.2.2.tar.gz.sha256" --header
>> "Content-Type: text/plain"
>> https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256
>> Is this something that others are missing? If not, how do you answer "*I
>> know that this Erlang/OTP build is legit*" in your production
>> environments?
>> Thank you, Gerhard.
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190111/d21a4f8a/attachment.htm>

More information about the erlang-questions mailing list