On Fri, 2016-08-26 at 11:21 -0500, Michael Catanzaro wrote: > On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote: > > > > IIRC, git.gnome.org won't let you push an unsigned tag. > I've been doing it for a while, so it most certainly does! I don't > see > value in signing our tags as (a) clearly nobody is checking the > signatures, and (b) we don't currently have any centralized registry > of > trusted keys, so it's not possible to know which signatures to trust > anyway.
Ah, it appears an annotated tag is sufficient: https://wiki.gnome.org/Git/Help/LightweightTags https://git.gnome.org/browse/sysadmin-bin/tree/git/pre-receive-check-po licy#n185 > On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote: > > > > > > That still leaves the question: If the release team tags with a key > > we > > can all trust, how does the release team trust that the commit they > > tagged is the one the maintainer intended? > We don't actually use git tags for anything official; we work with > tarballs hosted on download.gnome.org. If we want to switch to using > signed git tags instead of tarballs, I think that'd be fine, but it > would require a lot of infrastructure work. I may have misread what Alex was asking for. I'll just shut up now and let the release team and Alex figure out what's best. -- Shaun _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
