[wp-meta] [Making WordPress.org] #7667: core release process: Verify ZIP recreation is intended
Making WordPress.org
noreply at wordpress.org
Fri Jun 7 20:25:31 UTC 2024
#7667: core release process: Verify ZIP recreation is intended
-----------------------------+---------------------
Reporter: dd32 | Owner: (none)
Type: task (blessed) | Status: new
Priority: normal | Milestone:
Component: Version Control | Resolution:
Keywords: |
-----------------------------+---------------------
Comment (by bradshawtm):
> It is expected that during releases, a file may need to be rebuilt.
Is there an example as to why this might need to happen (without a
maintenance release)? Has this happened previously? Is there a running
changelog or somewhere that we can see when a zip is newly released and
why?
> This can cause problems for some 3rd party tools that expect that the
sha1 hash never changes post-release
Given this is the purpose of the checksum, I think it's a reasonable
expectation. If we can't trust a checksum hash of a given release to be
stable, we have no way of knowing should the supply chain be compromised.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7667#comment:2>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list