Update image to 2019.03 #23
Comments
|
It would appear that rakudo/star#124 (comment) is referencing this new key but doesn't include a fingerprint (or even keyid). 😕 Maybe the release fingerprint is something they'd be willing to add to the website so users can verify it easily as well as distributors? |
|
I figured you did but didn't want to be rude and @ you directly! 😅 It would be really awesome to publish the PGP key full fingerprint somewhere like the website (accessible via |
|
@tianon I am not really sure what I should do 😅 but if you walk me through the steps I'll make them. |
|
@tianon my key is listed here if it helps: |
|
Oh nice, yeah, I'd recommend publishing It would probably also make sense to include the old signing key for posterity's sake. This is one place the PHP project really shines: https://www.php.net/downloads.php (see "GPG Keys" down on that page where they publish the full fingerprint for each release's "release team" members so downloads can be verified appropriately). They've also got https://www.php.net/gpg-keys.php for folks looking to verify even older releases, although I don't think you necessarily need to go to that extent. 😅 |
This updates the Rakudo Star version to 2019.03 from 2018.10. The maintainer for Rakudo Star changed between 2018.10 and 2019.03 so the existing fingerprint used to retrieve the key and verify the tarball is not valid for the new release. Updating to include the new fingerprint along with the previous one; the old one will be used if the user sets the "rakudo_version" arg to a release prior to 2019.03 when building. See [Github Issue Raku#23](Raku#23)
|
Hey @hoelzro, @tianon, @hankache, I added a commit updating the version and including the new fingerprint. I've submitted a PR for it here. I'm not sure what I submitted is the the best way to go about it (it's got an ugly bit of shell scripting to select between the old and new fingerprints depending on the |
|
This was fixed by #24, right? |
|
Yes this was fixed and can be closed. |
The change is normally pretty trivial, but now that the docker build process uses GPG to verify the integrity of the tarball, and since the key used to generate the signature for 2019.03 differs from the one used for 2018.10, we need a way to verify that the key is authentic.
CC @jstuder-gh
The text was updated successfully, but these errors were encountered: