On Wed, Jul 3, 2013 at 7:37 AM, Matt Turner <[email protected]> wrote: > On Tue, Jul 2, 2013 at 1:02 PM, Ian Romanick <[email protected]> wrote: >> 2. Instead of just posting md5sum for the release tarballs, I think we >> should start GPG signing them. I'm not sure what sort of process we want to >> establish for this. Should they just be signed by the release managers key? >> Is this easier than I think it is? > > GPG sign the git tag (git tag -s) and the announce email which > contains the md5/sha sums. That's how X.Org releases are done.
There should be a reason for doing 2, btw just stating I'd like to do this doesn't give us any advantages over what we have now. Whats the point, stopping hackers? etc. The X.org md5/sha email was put in place to allow us to rebuild the archive if it ever got wiped again (which happened in the past), so we have a list of tarballs we've released and their signatures. People can also use it to verify tarballs. GPG signing tags is now being used sometimes in the kernel world, though really unless a developer has a gpg key that is trusted by other devs, and hence has met up with other devs to ensure that, gpg signing isn't gaining much. Dave. _______________________________________________ mesa-dev mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/mesa-dev
