On Sat, 30 Mar 2024, jim.ful...@webcomposite.com wrote:
While we are here … can we outline all processes to tarball - for example I
see no signing step
I did not mention signing because it does not strictly affect the tarball as
the signature is separate. I gpg sign every release and have done so for more
than a decade.
- also wonder if we need to consider signing tarballs (and all release
artefacts) using cosign ?
What benefits would that bring?
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
