Bitcoin Core 0.21.0 was released
It is available from https://bitcoincore.org/bin/bitcoin-core-0.21.0/
Release mail: https://lists.linuxfoundation.org/pipermail/bitcoin-core-dev/2021-January/000097.html
@orionwl It'd be good to timestamp SHA256SUMS.asc
@pete good point i'll look into installing OTS on the release signing machine
(it's not entirely trivial for…reasons…)
@orionwl Does it really need to be on the release signing machine? OTS proofs are self-verifying after all, so all you need is the ability to upload to the website.
@pete oh right! i was thinking of the git gpg wrapper, but that's not what one'd use here i suppose
what would be your suggested order?
- make SHA256SUMS
- sign it to make SHA256SUMS.asc
- timestamp it to make SHA256SUMS.asc.ots
then ship the .asc and .asc.ots
or something else?
@orionwl Yeah, simply timestamp SHA256SUMS.asc and upload the .ots proof.
I'd advise *against* timestamping the SHA256SUMS files directly, as that gives the wrong impression as to what the main purpose of the timestamp is: validation of the PGP signatures into the future, not validation of the releases themselves.
@orionwl I've got literally hundreds of gigabytes of stuff in git repos, using git-annex. Even without git-annex, storing binaries in git repos when the intent is long-term 100% complete archiving is fine. Only downside is normal checkouts take up twice the space.
Looks like the full set of binaries is a couple hundred MB. git can handle that just fine out of the box.
@FreePietje @orionwl @joeyh git-annex is awesome software! I've been using it for years.
@pete that would work, though i don't think a git repository is particularly suitable for storing binaries
in any case: i've uploaded a timestamped .asc here: https://bitcoincore.org/bin/bitcoin-core-0.21.0/SHA256SUMS.asc.ots
will try to do so from now on for releases