:: Re: [DNG] BAD sig with Devuan Jessi…
Top Page
Delete this message
Reply to this message
Author: Jaromil
Date:  
To: dng
Subject: Re: [DNG] BAD sig with Devuan Jessie 1.0.0-RC


dear Miroslav,

first of all thanks for your attention to details, your report and
that of another person in private is helping to review small problems
in the release process, one reason why this is an RC after all is that
we shouldn't give anything for granted in this process, but battle
test it as we are doing.

The problem with shasums in installer-iso was multiple

1) the amd64 DVD list.gz was somehow incompletely transferred from the
build server

2) the shasums file I signed was the one of the build server, not the
final one on the files.devuan.org distribution server and across
these two server the filenames were changed (because we use a new
file naming convention that is more script friendly) but the change
was not reflected in the sha256 sums


what i did to solve this now was:

1) transfer properly the list.gz (which does not affects the hashes
anyway, but ok that was not correct)

2) check that all the distributed iso files are matching with the
original ones that are on the build server, which is reachable only to
a few developers

3) resign the correct shasums file after careful checking, noticing
that no shasum has changed so the files stay the same and there was no
corruption

I'm now working on an automation of the process in the future so that
it can eliminate much of the errors made mostly because I operate it
by hand.

also this email is signed

ciao




-- 
~.,_   Denis Roio aka Jaromil    http://Dyne.org think &do tank
    "+.   CTO and co-founder      free/open source developers
      @)   ⚷ crypto κρυπτο крипто गुप्त् 加密 האנוסים المشفره
    @@)  GnuPG: 6113D89C A825C5CE DD02C872 73B35DA5 4ACB7D10
(@@@)  opmsg:73a8e097a038d82b 8afb4c05804bda0d 281b3880fbc19b88