It seems a lot of people feel conservative in favor of tarballs, so
maybe I aimed too far. At least I think the discussion brought some
interesting points that we can explore further. Some I identified:
- The tarballs should contain no changes with respect to git, or
minimal changes obviously justifiable in a diff.
- Tarballs should only be generated in a reproducible manner using
scripts. Ideally by the CI only.
- We should start to sign tarballs in the CI.
- We should start to sign commits and tags. Git recently made this
super easy by allowing signing with the ssh keys that we all are
already using to push things, so no excuses for not enabling this.
Sample config below:
[user]
signingkey = <path to your public key>
[commit]
gpgsign = true
[gpg]
format = ssh
[tag]
forceSignAnnotated = true
