Re: Gnome Flatpak build system, descriptions and questions
- From: Michael Catanzaro <mcatanzaro gnome org>
- To: Shaun McCance <shaunm gnome org>, Alexander Larsson <alexl redhat com>, Richard Hughes <hughsient gmail com>
- Cc: "gnome-os-list gnome org" <gnome-os-list gnome org>, desktop-devel-list <desktop-devel-list gnome org>
- Subject: Re: Gnome Flatpak build system, descriptions and questions
- Date: Fri, 26 Aug 2016 11:21:05 -0500
On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:
IIRC, git.gnome.org won't let you push an unsigned tag.
I've been doing it for a while, so it most certainly does! I don't see
value in signing our tags as (a) clearly nobody is checking the
signatures, and (b) we don't currently have any centralized registry of
trusted keys, so it's not possible to know which signatures to trust
anyway.
On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:
That still leaves the question: If the release team tags with a key
we
can all trust, how does the release team trust that the commit they
tagged is the one the maintainer intended?
We don't actually use git tags for anything official; we work with
tarballs hosted on download.gnome.org. If we want to switch to using
signed git tags instead of tarballs, I think that'd be fine, but it
would require a lot of infrastructure work.
Michael
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]