#28584 closed enhancement (fixed)

Give up on signing jars

Reported by: karsten Owned by: karsten
Priority: Medium Milestone:
Component: Metrics Version:
Severity: Normal Keywords:
Cc: metrics-team Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


As discussed in Mexico City, we're going to give up on signing jars.

The reason is that it makes the release process more complex for no real gain. We already sign release tarballs containing those jars.

In fact, when the release process is easier, we're going to add multiple signatures by multiple team members to the release tarball.

I'm going to post a metrics-base and metrics-lib patch soon.

Child Tickets

Attachments (1)

0001-Stop-signing-jars.patch (3.0 KB) - added by karsten 23 months ago.

Download all attachments as: .zip

Change History (4)

Changed 23 months ago by karsten

comment:1 Changed 23 months ago by karsten

Status: assignedneeds_review

See attached metrics-base patch. (I don't have a personal metrics-base repository.) There wasn't much to see in the metrics-lib patch, just the removed CERT file. I'll create a proper patch branch after merging the metrics-base patch.

Please review that patch.

comment:2 Changed 22 months ago by irl

Status: needs_reviewmerge_ready

Looks good. For multiple signatures, we should do these by building ourselves and then just having the detached signatures merged. If we've messed up reproducible builds anywhere then we'll find out this way. It may be that our tarballs have timestamps in there (I think this is likely) so we should figure out how to resolve that.

Let's make this change first then we can run things through diffoscope a few times to see what else is left to do.

comment:3 Changed 22 months ago by karsten

Resolution: fixed
Status: merge_readyclosed

Okay, cool. Merged to metrics-base and patched the other five dependent code bases. Closing. Thanks!

Note: See TracTickets for help on using tickets.