Update PR template instructions #61
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cfm
requested changes
Feb 28, 2025
| @@ -7,4 +7,5 @@ Name of package: | |||
| - [ ] Tag in securedrop-workstation repository is correct: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z | |||
| - [ ] Build logs are included: https://github.com/freedomofpress/build-logs/commit/1234 | |||
| - [ ] CI is passing, the rpm is properly signed with the prod key | |||
| - [ ] Unsigned RPM after running `rpm --delsign` (in Debian Stable) on the signed RPM results in the checksum found in the build logs | |||
| - [ ] Unsigned RPM after running `rpm --delsign` (use same version of rpmsign from the build container) on the signed RPM results in the checksum found in the build logs | |||
There was a problem hiding this comment.
With #62 we could reduce this to something like:
Suggested change
| - [ ] Unsigned RPM after running `rpm --delsign` (use same version of rpmsign from the build container) on the signed RPM results in the checksum found in the build logs | |
| - [ ] `tests-fedora` shows the same hash for the unsigned RPM as found in the pre-signature build log |
| @@ -7,4 +7,5 @@ Name of package: | |||
| - [ ] Tag in securedrop-workstation repository is correct: https://github.com/freedomofpress/securedrop-workstation/releases/tag/x.y.z | |||
| - [ ] Build logs are included: https://github.com/freedomofpress/build-logs/commit/1234 | |||
| - [ ] CI is passing, the rpm is properly signed with the prod key | |||
| - [ ] Unsigned RPM after running `rpm --delsign` (in Debian Stable) on the signed RPM results in the checksum found in the build logs | |||
| - [ ] Unsigned RPM after running `rpm --delsign` (use same version of rpmsign from the build container) on the signed RPM results in the checksum found in the build logs | |||
| - [ ] RPM independently bit-for-bit reproduced by another maintainer | |||
There was a problem hiding this comment.
Suggest making this as concrete as possible:
Suggested change
| - [ ] RPM independently bit-for-bit reproduced by another maintainer | |
| - [ ] `make build-rpm` run by someone else produces the same hashes to confirm reproducibility |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update PR instructions to clarify that rpmsign is what matters for rpm --delsign check. Add review checklist item to independently reproduce rpm build.