Release v1.5.2 requested

[jwnimmer-tri]

I have been testing recent changes extensively, and after #586, #587, #588 land I believe LCM will be in great shape for my ecosystem of users. I would like to publish to https://registry.bazel.build/, and that would be easier if there was an official v1.5.2 release tagged from the latest master after those merge. Would you consider tagging a new release after those PRs?

---

Second request -- after the next release, it would help if you could download the Source code (tar.gz) link from the release and then re-upload it as a release attachment. The auto-generated Source code (tar.gz) used by downstream package managers is actually not checksum-stable per GitHub. When unpacked it will be invariant, but the tar and gz process can change how they encode and compress the data. For packaging ecosystems that verify checksums, this can lead to failures down the road. Packagers always need a separate attachment of sources; the auto-generated ones are (unfortunately) unsuitable.

See https://github.com/orgs/community/discussions/46034 for details. Here's google's AI Overview FWIW:

GitHub's approach to release checksum stability distinguishes between two types of archives:

Uploaded Release Assets:

These are files (e.g., binaries, archives) that a repository maintainer explicitly uploads to a GitHub Release. GitHub guarantees the stability of these assets and their corresponding checksums. As of June 2025, GitHub automatically computes and displays SHA256 checksums for all uploaded release assets, making verification straightforward via the UI, API, or gh CLI.

Dynamically Generated Source Code Archives:

These are the "Source code (zip)" and "Source code (tar.gz)" files automatically generated by GitHub for each tag or release. The checksums of these archives are not guaranteed to be stable. They are generated on-demand using git archive and are sensitive to changes in Git's internal mechanisms (e.g., compression algorithms, versions of underlying tools like tar or gzip). A notable incident in early 2023 demonstrated this when a change in Git's default compression caused checksums of these archives to change, even though the content remained the same, impacting systems relying on their stability.

In summary:

For stable and reliable checksums, always use explicitly uploaded release assets. These are guaranteed to remain unchanged once published.

Checksums of dynamically generated source code archives are subject to change: and should not be relied upon for integrity verification if long-term stability is required. If using these, be prepared to update checksums if they change due to GitHub's internal updates.

[nosracd]

Would you consider tagging a new release after those PRs?

Absolutely; that makes sense to me

Second request -- after the next release, it would help if you could download the Source code (tar.gz) link from the release and then re-upload it as a release attachment.

Yes I can do so. Would it be helpful to do so retroactively or just for future releases?

Also, would you consider opening a PR to update docs/release_checklist with this new step?

[jwnimmer-tri]

Also, would you consider opening a PR to update docs/release_checklist with this new step?

(For the record, done in #592.)

Yes I can do so. Would it be helpful to do so retroactively or just for future releases?

In theory adding the attachments retroactively might help someone, but they might not end up being used. I think it would be OK to only do it on future releases.

[jwnimmer-tri]

Anything I can do to help here?

I figured summarizing the release notes might help:

---

• General
  • Releases now provide a stable source archive attachment
  • Documentation improvements
• Build system
  • Add support for MSVC
  • Add support for macOS 15 and drop support for macOS 13
  • Add support for Fedora 42 and drop support for Fedora 41
  • Add support for Bazel
  • Add Python 3.14 wheels and drop Python 3.7 wheels
  • Add armv7 wheels
  • Upgrade minimum CMake version to 3.10
  • Switch CMake from deprecated FindPythonInterp to new FindPython
  • Install lcm-sources.jar for IDE Javadoc integration
  • Remove uses of deprecated distutils module
• liblcm
  • Export only public symbols
  • Add LCM_C_NAMESPACE config option to change the C ABI symbol prefix
  • Refresh the channel_port_mapping lcmtypes codegen
• lcm-gen
  • Avoid unused variable warning for empty messages
• lcm-spy
  • Add support for running on Windows
  • Improve logic to find jchart2d
• lcm-logplayer-gui
  • Add support for running on Windows

[jwnimmer-tri]

(Of course I don't mind any version number. With the new platform/wheel support, possibly 1.6.0 is better.)

[nosracd]

Anything I can do to help here?

I don't think so, although I appreciate the offer. I was planning to carve out some time today or tomorrow to cut the release. Would sooner be better to get you unblocked?

I figured summarizing the release notes might help:

Thanks! That it quite helpful.

(Of course I don't mind any version number. With the new platform/wheel support, possibly 1.6.0 is better.)

1.5.2 makes sense to me. I consider the semantic versioning to apply to only the core C library, including LCM gen. Anything like which platforms we support is peripheral in my mind.

[jwnimmer-tri]

I was planning to carve out some time today or tomorrow to cut the release.

Even sometime over the next week is no problem for me.

Anything like which platforms we support is peripheral in my mind.

SGTM.

[nosracd]

The v1.5.2 release is now live and the source code has been reuploaded

[jwnimmer-tri]

Thanks!

FYI I'm publishing the release to Bazel's package registry now: bazelbuild/bazel-central-registry#6286