Re: Gnome Flatpak build system, descriptions and questions

On Fri, 2016-08-26 at 11:21 -0500, Michael Catanzaro wrote:
On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:

IIRC, won't let you push an unsigned tag.
I've been doing it for a while, so it most certainly does! I don't
value in signing our tags as (a) clearly nobody is checking the
signatures, and (b) we don't currently have any centralized registry
trusted keys, so it's not possible to know which signatures to trust

Ah, it appears an annotated tag is sufficient:

On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:

That still leaves the question: If the release team tags with a key
can all trust, how does the release team trust that the commit they
tagged is the one the maintainer intended?
We don't actually use git tags for anything official; we work with
tarballs hosted on If we want to switch to using
signed git tags instead of tarballs, I think that'd be fine, but it
would require a lot of infrastructure work.

I may have misread what Alex was asking for. I'll just shut up now and
let the release team and Alex figure out what's best.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]