-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release: Release tarballs? How to sign releases? #1175
Comments
This is what we've done for 0.2.0 and 0.3.0.
We should consider this before the next release, and document the result in the process document. This will resolve this issue. |
What about using of CMake's CPack module: --- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -229,6 +229,18 @@ if(SECP256K1_BUILD_EXAMPLES)
add_subdirectory(examples)
endif()
+set(CPACK_SOURCE_GENERATOR TBZ2 TGZ TXZ)
+set(CPACK_SOURCE_IGNORE_FILES
+ \\.git/
+ build/
+ ci/
+ \\.cirrus\\.yml
+ \\.gitattributes
+ \\.gitignore
+)
+set(CPACK_VERBATIM_VARIABLES YES)
+include(CPack)
+
message("\n")
message("secp256k1 configure summary")
message("===========================") ? Here is an example of usage:
|
I wasn't aware of that one. I think that's yet another option, but I don't think it's any better than I lean towards keeping the github tarball. It's the same for everyone, and if we want to sign it, we can still verify its integrity by checking the files inside (okay, modulo malicious polyglots etc...) |
Not sure, but https://github.com/orgs/community/discussions/45830 may be an issue... |
Oh okay, this makes |
See #1287. |
We should revisit this before the next release. Whatever we decide on, we should update the release process to include a cursory manual inspection of the release tarball (are all aux/docs files present, etc.). |
Some things that popped up during the 0.2.0 release:
git archive
make dist
(diff should be justci
, and dotfiles)?Some considerations:
git archive
may be nice because it can be recreated locally. But then, if we want all maintainers to sign the tarball, we need to make sure it's deterministic.make dist
does not seem to be a good choice. It's a bit silly to not include files like.gitignore
and.cirrus.yml.
I mean this is for devs of the library, you would want to have these files. And this method depends on the build system and we want to support more than one build system in the future. (And this would raise questions like "should the autotools tarball include cmake files?" in the future.)The text was updated successfully, but these errors were encountered: