Re: Gnome Flatpak build system, descriptions and questions
- From: Shaun McCance <shaunm gnome org>
- To: Michael Catanzaro <mcatanzaro gnome org>, Alexander Larsson <alexl redhat com>, Richard Hughes <hughsient gmail com>
- Cc: "gnome-os-list gnome org" <gnome-os-list gnome org>, desktop-devel-list <desktop-devel-list gnome org>
- Subject: Re: Gnome Flatpak build system, descriptions and questions
- Date: Fri, 26 Aug 2016 12:46:31 -0400
On Fri, 2016-08-26 at 11:21 -0500, Michael Catanzaro wrote:
On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:
IIRC, git.gnome.org won't let you push an unsigned tag.
I've been doing it for a while, so it most certainly does! I don't
see
value in signing our tags as (a) clearly nobody is checking the
signatures, and (b) we don't currently have any centralized registry
of
trusted keys, so it's not possible to know which signatures to trust
anyway.
Ah, it appears an annotated tag is sufficient:
https://wiki.gnome.org/Git/Help/LightweightTags
https://git.gnome.org/browse/sysadmin-bin/tree/git/pre-receive-check-po
licy#n185
On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:
That still leaves the question: If the release team tags with a key
we
can all trust, how does the release team trust that the commit they
tagged is the one the maintainer intended?
We don't actually use git tags for anything official; we work with
tarballs hosted on download.gnome.org. If we want to switch to using
signed git tags instead of tarballs, I think that'd be fine, but it
would require a lot of infrastructure work.
I may have misread what Alex was asking for. I'll just shut up now and
let the release team and Alex figure out what's best.
--
Shaun
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
