|
|
Boost : |
Subject: Re: [boost] Boost 1.61.0 has been released
From: Tom Kent (lists_at_[hidden])
Date: 2016-05-13 21:05:25
On Fri, May 13, 2016 at 12:40 PM, Michael Witten <mfwitten_at_[hidden]> wrote:
> On Fri, May 13, 2016 at 4:54 PM, Vladimir Prus <vladimir.prus_at_[hidden]>
> wrote:
>
> > Hi Michael,
> >
> > On Fri, May 13, 2016, 19:01 Michael Witten <mfwitten_at_[hidden]> wrote:
> >>
> >> On Fri, May 13, 2016 at 12:07 PM, Rene Rivera <grafikrobot_at_[hidden]>
> >> wrote:
> >>
> >> > Release 1.61.0 of the Boost C++ Libraries is now available.
> >>
> >> No, it's not released yet.
> >>
> >> It's not released until there are associated with the files
> >> immediately obvious digital signatures that can be verified with a
> >> well known personal public key (like that of Vladimir Prus).
> >>
> >> Please, quit fscking around.
> >
> >
> > Thanks for your reminder! The signed hashes file will be available later,
> > most likely next Tuesday. Sadly, if you require this file before using
> > 1.61.0, you would have to wait.
> >
> > That said, the definition a Boost release is made by release managers,
> it's
> > not a universal law of physics. Presently, that definition does not
> include
> > any digital signatures. The signatures I included with a couple of
> release
> > candidates were an experiment to see how many people appear to care (the
> > answer was one, Tom), and how complicated it is (the answer is that GPG
> is
> > quite a mess, especially on Windows or if you do not want your master
> key on
> > a random cloud server). No decison is made yet.
> >
> > You are welcome to push on this and make concrete suggestions, but the
> > impact will be directly proportional to how polite your messages are
> worded.
>
> So, because only Tom explicitly responded, it must be the case that
> only Tom cared; it must be the case that only Tom will ever care.
>
> Actually, Tom's emails are quite useful, because his own digital signature
> compounds the confirmation of your digital signature.
>
> I have made many concrete suggestions and I have been very polite;
> it doesn't seem to do anything.
>
> Your personal inability to find a convenient way to produce and present
> digital signatures is irrelevant; they are something that *must* be done
> in this day and age, and I cannot fathom why there is so much incredulity
> about that fact.
>
> Perhaps, Tom would be willing to take on the task of constructing the
> files and/or composing the digital signatures, at least until some
> agreeable
> release recipe can be established for other maintainers to follow
> mindlessly.
>
For the record, the files containing the windows binaries have been hashed
and signed. If you really need that, you could download one of them and
extract the source from it as the entire source distribution is within them.
Tom
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk