From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 0BC004A5B0
	for <ffmpegdev@gitmailbox.com>; Sat, 30 Mar 2024 17:31:57 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8CAFF68D316;
	Sat, 30 Mar 2024 19:31:56 +0200 (EET)
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com
 [209.85.214.169])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B9AB068D282
 for <ffmpeg-devel@ffmpeg.org>; Sat, 30 Mar 2024 19:31:49 +0200 (EET)
Received: by mail-pl1-f169.google.com with SMTP id
 d9443c01a7336-1e00d1e13a2so20305005ad.0
 for <ffmpeg-devel@ffmpeg.org>; Sat, 30 Mar 2024 10:31:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1711819907; x=1712424707; darn=ffmpeg.org;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id:from
 :to:cc:subject:date:message-id:reply-to;
 bh=lcxATr6eHCv7EAIdfOzA2Jj6Bncc0Xj06dK0zNTLe+0=;
 b=TPhZbNzG9y7haCWK1ER3LL9Ve/69zANbuFiUGeUblmepykbL4FcZQpaelEWPr74fAz
 Tc7X7X1nz8EuyWUYfpMcxtGlcG49DP574P2jLgiDrXORVgxLZr6LULNA++GPa4pu6TdB
 lp9uRAW25Le+wkHfFgky1dCjyvkNxrDR2eQTty8+GS6s5FP0dXmkVjj8qh2btFdcvQMm
 2KWFJlGoyibrHFABALlZ1U1G3Q/0KAvEW9SS9zibA+HMxpvNDnZisZhU8LfEjKDzyfiR
 2GxoT6uRlpgY7ss+XhNCEOxci2I9hV/XJAwYRZlDtn4eEZlVo425TmP4Cuz735dr+wkf
 dpvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1711819907; x=1712424707;
 h=content-transfer-encoding:in-reply-to:from:content-language
 :references:to:subject:user-agent:mime-version:date:message-id
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=lcxATr6eHCv7EAIdfOzA2Jj6Bncc0Xj06dK0zNTLe+0=;
 b=bvafXC0Rf0V4WkrnwGcS/Hi85ttqWjzzXfuEPNf1GhXptbydAZVCPsiJAH+JpoRV0R
 ZG9ck0AN7D1ob7zdOSEwdveGPIESdCXJv7JAWnAyMEheVXJmmkCuCcnTRSlGwlqvWi5j
 M5PbCtDwDCQgCk0Sr5YoTbtA3Cg7uku+WZh9Jb0aUN5VX5de7KDisu0miNJqsrhaQ6ZX
 PCtZQuEvC0cR1anp0PwrXni/bwDNG6Xkc2uVujOTMFRf3L7vMpkiEC5HOELLTJfOAxTq
 NhPOW9BdaJpB+mL7qjU4VmmLMzAeN/bzNtM++dxDVAWBCDnFCLc5Vx8dQE+hC/4gRJQT
 VNpA==
X-Gm-Message-State: AOJu0YzrjrBdS3Z3U+4YzSrhvBBq7iQOJfotNIE81W3dolFv2Yi8bVBf
 zWX62uQm0x9muxquaj8Wn4twK4C67EbEDpV7wYMg/Msbel3w+hs+NXBrvzmp
X-Google-Smtp-Source: AGHT+IEAjGomejsm8DDHrwybtWEcbNBM8FoBQUN+7DHODBQBE9xIqF3c8QBgAPPgGLyPvYS+PLFO3w==
X-Received: by 2002:a17:903:40c7:b0:1e0:f8:56a1 with SMTP id
 t7-20020a17090340c700b001e000f856a1mr6249939pld.25.1711819906910; 
 Sat, 30 Mar 2024 10:31:46 -0700 (PDT)
Received: from [192.168.0.15] ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 b3-20020a170902d50300b001dcb654d1a5sm5490095plg.21.2024.03.30.10.31.45
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 30 Mar 2024 10:31:46 -0700 (PDT)
Message-ID: <7d01e878-f820-457c-9c65-53b985ba04a0@gmail.com>
Date: Sat, 30 Mar 2024 14:31:54 -0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ffmpeg-devel@ffmpeg.org
References: <20240330140225.3395-1-michael@niedermayer.cc>
 <ef8a2c6f-1790-4eb9-a3ea-5334f2acf3d2@gmail.com> <20240330173039.GW6420@pb2>
Content-Language: en-US
From: James Almer <jamrial@gmail.com>
In-Reply-To: <20240330173039.GW6420@pb2>
Subject: Re: [FFmpeg-devel] [PATCH] web/download: Extend the verification
 procedure to check for difference between git and release tarball
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/7d01e878-f820-457c-9c65-53b985ba04a0@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

On 3/30/2024 2:30 PM, Michael Niedermayer wrote:
> On Sat, Mar 30, 2024 at 11:51:17AM -0300, James Almer wrote:
>> On 3/30/2024 11:02 AM, Michael Niedermayer wrote:
>>> Iam not 100% sure this is the best place to put this. But we should somewhere
>>> describe what differences are expected
>>>
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>    src/download | 34 ++++++++++++++++++++++++++++++++++
>>>    1 file changed, 34 insertions(+)
>>>
>>> diff --git a/src/download b/src/download
>>> index 0e6fa7e..34733de 100644
>>> --- a/src/download
>>> +++ b/src/download
>>> @@ -284,6 +284,40 @@ gpg:                using RSA key FCF986EA15E6E293A5644F10B4322F04D67658D8
>>>    gpg:                issuer "ffmpeg-devel@ffmpeg.org"
>>>    gpg: Good signature from "FFmpeg release signing key &lt;ffmpeg-devel@ffmpeg.org&gt;" [full]</pre>
>>>          </li>
>>> +      <li>
>>> +        Verify that the release tarball matches the git tag: (expected differences are missing .git, .gitignore and .gitattributes and an additional VERSION file)
>>> +        <pre>
>>> +        $ diff -ru ffmpeg-5.1.4 gitdir2
>>> +Only in gitdir2/doc/doxy: .gitignore
>>> +Only in gitdir2/doc/examples: .gitignore
>>> +Only in gitdir2/doc: .gitignore
>>> +Only in gitdir2/ffbuild: .gitignore
>>> +Only in gitdir2: .git
>>> +Only in gitdir2: .gitattributes
>>> +Only in gitdir2: .gitignore
>>> +Only in gitdir2/libavcodec: .gitignore
>>> +Only in gitdir2/libavcodec/tests: .gitignore
>>> +Only in gitdir2/libavdevice: .gitignore
>>> +Only in gitdir2/libavdevice/tests: .gitignore
>>> +Only in gitdir2/libavfilter: .gitignore
>>> +Only in gitdir2/libavfilter/opencl: .gitignore
>>> +Only in gitdir2/libavfilter/tests: .gitignore
>>> +Only in gitdir2/libavformat: .gitignore
>>> +Only in gitdir2/libavformat/tests: .gitignore
>>> +Only in gitdir2/libavutil: .gitignore
>>> +Only in gitdir2/libavutil/tests: .gitignore
>>> +Only in gitdir2/libswresample/tests: .gitignore
>>> +Only in gitdir2/libswscale/tests: .gitignore
>>> +Only in gitdir2/tests/api: .gitignore
>>> +Only in gitdir2/tests/checkasm: .gitignore
>>> +Only in gitdir2/tests: .gitignore
>>> +Only in gitdir2/tools: .gitignore
>>> +Only in ffmpeg-5.1.4: VERSION
>>> +        </pre>
>>> +      </li>
>>> +      <li>
>>> +        Verify that the tag in git is signed
>>
>> The tags are signed with your key made for this purpose,
>> DD1EC9E8DE085C629B3E1846B18E8928B3948D64, and not with the tarball one
>> listed above. You should include it here the same way, unless the signature
> 
> yes but before doing that, do you think this is the best place to put all this?

Sure, why would it not? It's the section where we explain how to verify 
releases.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".