Skip to content
This repository has been archived by the owner on May 4, 2021. It is now read-only.

Ticket29294 #332

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Ticket29294 #332

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
52b8404
new: Add gitchangelog configuration file
juga0 Nov 24, 2018
269c99b
new: Add gitchangelog template
juga0 Nov 24, 2018
2a7e672
new: Convert changelog to rst
juga0 Nov 24, 2018
0f7fc57
new: scripts: Add script to help new releases.
juga0 Feb 6, 2019
5046e2f
new: docs: Include script on how to release
juga0 Feb 6, 2019
e54f087
fixup! new: Convert changelog to rst
juga0 Mar 6, 2019
d7a17c3
fixup! new: Add gitchangelog configuration file
juga0 Mar 6, 2019
3c329a2
fixup! new: scripts: Add script to help new releases.
juga0 Mar 6, 2019
6d3879c
fixup! fixup! new: scripts: Add script to help new releases.
juga0 Mar 11, 2019
c1d0263
fixup! fixup! new: scripts: Add script to help new releases.
juga0 Mar 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions scripts/maint/release.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,12 +132,36 @@ def main(args):
# While we use Github releases and not dist.tpo
print("\n6. Create release tarball")
print("-------------------------")

print("\nCreating a release tarball...")
subprocess.call(
"git archive --format=tar.gz --prefix=sbws-{}/ "
"-o v{}.tar.gz v{}"
.format(release_version, release_version, release_version).split(' ')
)
print("\nCreating tarball hash file...")
fd = open('v{}.tar.gz.sha256'.format(release_version), 'w')
subprocess.call("sha256sum v{}.tar.gz".format(release_version).split(' '),
stdout=fd)
fd.close()

print("Obtaining Github tarball...")
# This will overwrite local tarball, but that's fine since the hash file
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overwriting the local tarball is only fine if the user reads the output of the script, and notices when the GitHub tarball is different. Please put the tarballs in separate files.

# won't be overwritten.
subprocess.call(
"torsocks wget https://github.com/torproject/sbws/archive/v{}.tar.gz"
.format(release_version).split(' ')
"wget https://github.com/torproject/sbws/archive/v{}.tar.gz "
"-O v{}.tar.gz"
.format(release_version, release_version).split(' ')
)

print("Verifying Github tarball and local one are the same...")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand why we do a sha256 check, rather than a file diff check.
In fact, I'm not sure why we do this check at all?
Please add a comment explaining why it is important that GitHub matches our local tarball.

Are tarballs reproducible?
What happens if the tarballs are different?
Can they be different on different OSes?
Does GitHub guarantee that their tarballs are created with particular git and tar versions on a particular OS?

try:
subprocess.check_call("sha256sum -c v{}.tar.gz.sha256"
.format(release_version).split(' '))
except subprocess.CalledProcessError:
print("Tarballs are not the same")
sys.exit(1)

print("\n7. Create the tarball signature")
print("-------------------------------")
print("Creating detached signature...")
Expand Down