<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Apr 3, 2013 at 6:14 PM, Thomas Hervé <span dir="ltr"><<a href="mailto:therve@free.fr" target="_blank">therve@free.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Glyph mumbled something about sha sums of the release files, instead<br>
of md5. Should we pursue that? We may need to update some trac<br>
integration code.<br></blockquote><div><br></div><div>Depends, what's the goal of the checksums? If it's "we want people to be able to check that the tarball they have is in fact the release and not something tainted by patches or malware", perhaps we either should have a Twisted signing key, or have the release manager sign the release instead (especially since we have a lot of signatures since PyCon :)).<br>
<br></div></div>-- <br><div dir="ltr">cheers<div>lvh</div></div>
</div></div>