GitHub user jvz added a comment to the discussion: Tag cleanup and protection
I thought we wanted to sign tags in the first place due to using CI for tagging releases? Anyways, signing individual commits, while helpful, isn't required (simply signing commits isn't enough for proper security here; you also need to manage the valid lists of signing keys for a domain, and that brings things back to the equivalent of managing a `KEYS` file but with more types of supported keys). GitHub link: https://github.com/apache/logging-log4j2/discussions/4096#discussioncomment-16639790 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
