A Verifiable Source-Review Archive for Every Release
Deterministic source snapshots, license compliance, and signed checksums wired into the release.
When Gantry ships a paid release, a customer needs more than the binary they downloaded. They need to see the source that produced it, confirm it has not been tampered with, and know which third-party code it carries and under what terms. Before this job, a release was a binary with a hand-maintained attribution file — no accompanying source, no machine-checked license policy, and no verification a recipient could actually run.
This job built the source-review archive: a reviewable snapshot of the shipped code, assembled from tracked files under an explicit allow-list that leaves out repository history, CI internals, and Gantry's own build artifacts. Around it came generated notices for bundled dependencies, a permissive-only dependency-license policy, a metadata record tying the archive to the tagged build, and a cryptographic chain — a combined checksum file and a detached signature against a committed public key — that lets anyone confirm both the binary and the archive are the genuine, unaltered release.
Build
The plan split a locally provable compliance foundation from the release-pipeline wiring that ships it. The decisive move was implementing archive assembly as a committed script that both the tests and the workflow call, so the archive was proven from a clean checkout before any release machinery leaned on it.
The first milestone owned everything checkable on a developer's machine with no release tools installed: the archive-assembly script, the metadata it embeds, generated dependency notices, and a permissive-only license policy guarded by tests. The second wired that foundation into the release workflow — staging the archive beside the binary tarballs, computing checksums over the whole set, signing them, and documenting how a customer verifies a download. Putting assembly in a committed executable script that both sides invoke is what made the split hold: the foundation's tests could build the archive and assert its contents, determinism, and exclusions from a clean checkout, leaving the release job to call the same script rather than reimplement it.
Where the cut came under stress was a correspondence no test could see textually. Reviews in the foundation milestone forced re-plans on the assembly and archive-test sprints, and a milestone-level re-plan recorded the finding that mattered: two distinct digests exist for the archive and must never be treated as equal. The one embedded inside the metadata file is a canonical rebuild digest for reproducing the archive independently; the one a customer checks their download against is the hash of the final shipped zip, which cannot equal a value stored inside that same zip. That distinction became a written constraint carried into the pipeline milestone, so the checksum step and the customer-facing verification docs were built to keep the two apart from the start.
The gate stayed green the whole way. The difficulty here was never a failing test but a plausible equality that would have looked correct and quietly broken verification. Review is where it was caught, and the re-plan is where the boundary between the two milestones was redrawn to encode it.
Feature
Gantry's distribution used to end at a binary tarball with hand-updated attribution and nothing a buyer could verify. This job left a deterministic source snapshot, a machine-checked license policy, generated notices, and a signed checksum chain — most of which still stands, with the assembly script at its core.
A release used to carry one piece of compliance material, a hand-updated notices file, with no source snapshot and no way for a buyer to prove the download was authentic. The job replaced that with a set of parts that fit together: an assembly script that builds a byte-deterministic archive from tracked source under an explicit allow-list; a metadata record inside the archive establishing correspondence with the tagged build; a dependency-license policy that accepts only permissive identifiers and is guarded by tests; generated notices packaged both in the archive and beside each binary tarball; and a verification path built on a combined checksum file, a detached signature, and a committed public key.
Standing in the tree today, the durable core is intact. The assembly script is still present and remains the largest surviving piece of the job; the permissive-only license policy, the license-check CI workflow, the public signing key, and the generated notices with their generator are all still in place, and the README's verification instructions survive and have since been expanded. The tests the foundation milestone wrote were not deleted but relocated into the integration test tree.
Two pieces have since been superseded, both readably. The draft review-license text the plan kept provisional — it was told not to pick a final business license — was replaced by the final Gantry Source License, which is what the archive now ships. And the release workflow this job wired everything into was removed outright when Gantry retired the hosted-releases distribution model in favour of private hosting; the archive, compliance, and verification machinery it fed outlived the workflow that first carried it.