Dear ABCL maintainers,
I am a maintainer for the Homebrew package manager. Recently we noticed that the checksum of ABCL 1.9.1’s source tarball, downloaded from https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz, has changed from 9dc2fb0886e97be1906e6d0a96671ef9d0f52b9f91817e4c64741cd18bf8e0d1 (as of 2023-02-20 10:19 UTC) to a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2. May I confirm if the source tarball was updated? Thanks!
Regards, Ruoyu
On Mar 22, 2023, at 09:33, Ruoyu Zhong zhongruoyu@outlook.com wrote:
Dear ABCL maintainers,
I am a maintainer for the Homebrew package manager. Recently we noticed that the checksum of ABCL 1.9.1’s source tarball, downloaded from https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz, has changed from 9dc2fb0886e97be1906e6d0a96671ef9d0f52b9f91817e4c64741cd18bf8e0d1 (as of 2023-02-20 10:19 UTC) to a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2. May I confirm if the source tarball was updated? Thanks!
In the current release process, the files are allowed to change before the signatures are committed to.
Did https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz.asc change on you?
Did https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz.asc change on you?
We verify downloads by their SHA-256 checksum, not signatures. But I was able to verify the validity of the signature locally:
$ gpg -d abcl-src-1.9.1.tar.gz.asc gpg: assuming signed data in 'abcl-src-1.9.1.tar.gz' gpg: Signature made Thu Feb 23 20:29:07 2023 +08 gpg: using DSA key 5491D207FF9ECDE0BEA277772A9641104DB1773D gpg: issuer "evenson.not.org@gmail.com" gpg: Good signature from "Mark Evenson evenson.not.org@gmail.com" [unknown] gpg: WARNING: The key's User ID is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5491 D207 FF9E CDE0 BEA2 7777 2A96 4110 4DB1 773D $ shasum -a 256 abcl-src-1.9.1.tar.gz a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2 abcl-src-1.9.1.tar.gz
In the current release process, the files are allowed to change before the
signatures are committed to.
In that case, I will determine that it is safe to proceed to update the SHA-256 checksum on our end. (I noted that FreeBSD Ports uses the current checksum, too.)
Thanks!
Regards, Ruoyu
On 22 Mar 2023, at 9:41 PM, Mark Evenson evenson@panix.com wrote:
On Mar 22, 2023, at 09:33, Ruoyu Zhong zhongruoyu@outlook.com wrote:
Dear ABCL maintainers,
I am a maintainer for the Homebrew package manager. Recently we noticed that the checksum of ABCL 1.9.1’s source tarball, downloaded from https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz, has changed from 9dc2fb0886e97be1906e6d0a96671ef9d0f52b9f91817e4c64741cd18bf8e0d1 (as of 2023-02-20 10:19 UTC) to a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2. May I confirm if the source tarball was updated? Thanks!
In the current release process, the files are allowed to change before the signatures are committed to.
Did https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz.asc change on you?
-- "A screaming comes across the sky. It has happened before but there is nothing to compare to it now."
armedbear-devel@common-lisp.net
-
Mark Evenson -
Ruoyu Zhong