[erlang-questions] Missing checksums for github.com/erlang/otp/releases

Lukas Larsson lukas@REDACTED
Fri Jan 11 15:46:19 CET 2019


On Fri, Jan 11, 2019 at 3:30 PM Gerhard Lazu <gerhard@REDACTED> wrote:

> I've noticed that the bundle-otp script in github.com/erlang/otp is used
> when minor releases are produced, such as 21.2. I've also noticed that this
> script is responsible for creating the bundle.txt which contains the HEAD
> git sha at the time of bundling.
>
> Lukas, I can see that you have released 21.2, as well as 21.1. Would you
> be willing to sign OTP releases and upload the signature when creating a
> release on GitHub? On team RabbitMQ, this is an automated process for all
> public artefacts, I would be happy to help. We can use TravisCI and adapt
> bundle-otp for all releases, not only minor ones, as well as add GPG
> signing. What do you think?
>

The bundling script is already done by travis, it just happens to be my
user that is used to authenticate with github when updating the artifacts.
https://github.com/erlang/otp/blob/master/.travis.yml#L92-L111

The bundler was mainly something I did because Ericsson needed it, but if
it can be extended to be usefull to the open source community as well that
would be great :)

Keep in mind though that one of the things that bundle-otp does it
associate a corba version with an Erlang/OTP version. This is only possible
to automate for major and minor release, not for patches. So the
otp-bundle.tar.gz should not be created for patches, but any GPG signing
etc could be done for all tags.


>
> Thank you, Gerhard.
>
> On Wed, Jan 9, 2019 at 5:08 PM Gerhard Lazu <gerhard@REDACTED> wrote:
>
>> I think it would be great to have checksums publicly available when a new
>> Erlang/OTP patch is tagged on GitHub. Something as simple as this will do:
>>
>> sha256sum OTP-21.2.2.tar.gz > OTP-21.2.2.tar.gz.sha256
>> curl --request POST --data-binary "@OTP-21.2.2.tar.gz.sha256" --header
>> "Content-Type: text/plain"
>> https://uploads.github.com/repos/erlang/otp/releases/OTP-21.2.2/assets?name=OTP-21.2.2.tar.gz.sha256
>>
>> Is this something that others are missing? If not, how do you answer "*I
>> know that this Erlang/OTP build is legit*" in your production
>> environments?
>>
>> Thank you, Gerhard.
>>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20190111/d21a4f8a/attachment.htm>


More information about the erlang-questions mailing list