Diogo Sant'Anna via curl-library <curl-library@lists.haxx.se> wrote on 2023-02-16 at 16:33:40:
> One way to achieve this would be: > > 1. > > Moving your release process (i.e., the packaging of the tarball) to an > automated script in GitHub Actions (GHA). I suggest this because I see you > already have some processes as GHAs and you could still reuse part of the > script you currently use in docs/RELEASE-PROCEDURE.md Are you suggesting that creating the release on (IMHO) untrustworthy and proprietary GitHub infrastructure is more secure than using a system Daniel controls? Should the OpenPGP key that is used to sign the releases copied to GitHub infrastructure as well? In my opinion this would be a step in the wrong direction. Fabian
pgpdmir0Z8qrv.pgp
Description: OpenPGP digital signature
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
