[lintian] 03/03: releases.md: Describe the current git tag proc

Sat, 17 Sep 2016 03:22:27 -0700 

This is an automated email from the git hooks/post-receive script.

nthykier pushed a commit to branch master
in repository lintian.

commit 505052d79cf3a7d44275301ac1dd9972a9dc9a07
Author: Niels Thykier <ni...@thykier.net>
Date:   Sat Sep 17 09:48:14 2016 +0000

    releases.md: Describe the current git tag proc
    
    Contrary to what was documented, we actually use the signed changes
    file for preparing the signed git tag.  Otherwise, the checksums in it
    will not match the source package.
    
    Signed-off-by: Niels Thykier <ni...@thykier.net>
---
 doc/releases.md | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/doc/releases.md b/doc/releases.md
index 2f939d2..b092e38 100644
--- a/doc/releases.md
+++ b/doc/releases.md
@@ -23,12 +23,17 @@ issues that have not been fixed during development.  If you 
do code
 changes, remember to set the distribution back to UNRELEASED!
 Otherwise, some checks on the code will be skipped (e.g. critic).
 
-Sign and upload the package.  Historically, the Lintian
-maintainers have included the (unsigned) changes file in the signed
-git tag (see e.g. the 2.4.3 tag or the 2.5.19 tag).  If/When doing
-this, it may be prudent to wait for the upload to be accepted before
-pushing the new tag (so that the checksums in the signed tag match
-those of the uploaded files).
+Sign and upload the package.  Furthermore, prepare a signed git
+tag.  This is generally done in the following way:
+
+ * Take a copy of the signed `.changes`
+ * Optionally strip the signature from it.
+ * Add a tag message to the top of the file
+ * Tag with `git tag <VERSION> -u <KEYID> --file <FILE>`
+
+This is method is used to provide a "trust" path between the tag and
+the uploaded files.  This is also why we use the signed `.changes`
+(as signing the source package changes the checksums in the `.changes`).
 
 Once the upload has been accepted and the commit has been tagged, you
 may want to "open" the next entry in the changelog.  The rationale for

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/lintian/lintian.git

Reply via email to