On Tue, Nov 29, 2022, at 3:24 AM, Bob Hepple wrote: > Here's a question from one of my upstream devels. Not sure I understand > exactly what he's asking but I thought I'd post here in the hope that > someone can enlighten him (and me!). > > "... Arch supports signed git tags. I'm hoping Fedora does too. > > I'm thinking of dropping this cumbersome process (i.e: signing and > pushing the `.sig` and `.tar.gz`) for the next release. Simply sign the > tag and create a release out of it. Can you please do a bit of research > on your side to see if that's possible?
https://github.com/cgwalters/git-evtag/ was created to address a few details around this. Most of the people replying so far seem confused into thinking "git == internet", when this is clearly not true. One can cache/lookaside git repositories in the same way one caches tarballs. That said, there are some tricky things here around not wanting to need to validate the entire git repository history, and handling cases where the git repository contains significant code which isn't intended to be built and shipped. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
