On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote: > IIRC, git.gnome.org won't let you push an unsigned tag.
I've been doing it for a while, so it most certainly does! I don't see value in signing our tags as (a) clearly nobody is checking the signatures, and (b) we don't currently have any centralized registry of trusted keys, so it's not possible to know which signatures to trust anyway. On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote: > > That still leaves the question: If the release team tags with a key > we > can all trust, how does the release team trust that the commit they > tagged is the one the maintainer intended? We don't actually use git tags for anything official; we work with tarballs hosted on download.gnome.org. If we want to switch to using signed git tags instead of tarballs, I think that'd be fine, but it would require a lot of infrastructure work. Michael _______________________________________________ gnome-os-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/gnome-os-list
