From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33442-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 23288 invoked by alias); 12 Oct 2014 17:05:54 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33442
Received: (qmail 21984 invoked from network); 12 Oct 2014 17:05:48 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.2
X-Originating-IP: [80.3.229.105]
X-Spam: 0
X-Authority: v=2.1 cv=RcseCjdv c=1 sm=1 tr=0 a=uz1KDxDNIq33yePw376BBA==:117
 a=uz1KDxDNIq33yePw376BBA==:17 a=NLZqzBF-AAAA:8 a=uObrxnre4hsA:10
 a=kj9zAlcOel0A:10 a=6EjVDL0tAAAA:8 a=8E-BwuEZT06dwo96TOUA:9 a=CjuIK1q_8ugA:10
 a=75sI3ZSEkfgA:10
Date: Sun, 12 Oct 2014 18:00:13 +0100
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: zsh-workers@zsh.org
Subject: Re: reproducing release tarball for 5.0.7
Message-ID: <20141012180013.0d8f1b2e@pws-pc.ntlworld.com>
In-Reply-To: <20141011001908.GA18706@ruderich.org>
References: <20141009201629.GA10638@tower.spodhuis.org>
	<20141011001908.GA18706@ruderich.org>
X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.7; x86_64-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 11 Oct 2014 02:19:08 +0200
Simon Ruderich <simon@ruderich.org> wrote:
> How do you feel about providing GPG signatures for the tarballs
> and the git tags? This would fix this issue and make it possible
> for everybody to verify zsh's releases. For example Debian has
> tools to automatically verify the upstream tarball after the
> download if upstream provides signatures. This allows maintainers
> to be sure they downloaded the correct tarball.
> 
> If you like I could prepare a patch for the Makefile to sign the
> resulting tarballs, so a "make sign" is the only required action.
> For Git it's even easier, instead of git tag $tag, you can just
> use git tag -s -m 'optional message' $tag and it will be signed.
> I'm already using signed tags for the website.

Could do, guess we need a new key for this.

pws