Re: Gnome Flatpak build system, descriptions and questions

On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:
IIRC, won't let you push an unsigned tag.

I've been doing it for a while, so it most certainly does! I don't see
value in signing our tags as (a) clearly nobody is checking the
signatures, and (b) we don't currently have any centralized registry of
trusted keys, so it's not possible to know which signatures to trust

On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:
That still leaves the question: If the release team tags with a key
can all trust, how does the release team trust that the commit they
tagged is the one the maintainer intended?

We don't actually use git tags for anything official; we work with
tarballs hosted on If we want to switch to using
signed git tags instead of tarballs, I think that'd be fine, but it
would require a lot of infrastructure work.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]