On Thursday, 4 April 2024 13:07:42 CEST, Ben Cooksley wrote:
[snip] As an additional aside - we don't currently GPG sign our Git tags, so there is nothing validating that the person who made the release is actually the person whose name is on it. With GPG signatures we can at least validate who owns the key.
We *do* sign the tags for KF, Plasma and Gear. And IIRC releasme defaults to signing tags as well.
Regards, Heiko
