В Fri, 08 Dec 2017 10:55:14 +0000, Ivan Vučica написа: > On Fri, Dec 8, 2017, 10:18 Yavor Doganov <[email protected]> wrote:
> I will sign the tag with my personal key (otherwise GH would not display > it as verified) and I will sign the tarball with the shared maintainer > key, as is the usual practice. OK, I thought that GitHub automatically generates tarballs from git tags, at least this is what I observed with SimpleAgenda. So it is slightly consufing for me how the tag can be signed with one signature and the tarball with another. Anyway, these details are not so important for me, as long as the tarball is signed with the proper key. > Please use ftp.gnustep.org as the primary distribution point. OK, thanks. >> P.S. I'd suggest to advertise widely this new feature of GNUstep Make >> and recommend that all developers GPG-sign their releases. >> > My understanding is that was already the practice for GNUstep core > project? > :-) > > What I mean is: we are already supposed to sign the tarballs. GNUstep core packages have always been signed, I think. But there are lots of unsigned tarballs at ftp.gnustep.org and the other non-core distribution locations (GAP, gnustep-nonfsf, gsimages, etc.). Some maintainers sign a particular release and then don't sign the next which is a problem for Debian packaging, because once you setup the package to verify upstream's signature, a subsequent release that is not GPG-signed will be rejected by the archive management software. > The only new thing is signing tags, which I'm doing more for fun than > anything else: Well, signing tags is a good practice from security POV. Some people even insist that each commit should be GPG-signed. _______________________________________________ Gnustep-dev mailing list [email protected] https://lists.gnu.org/mailman/listinfo/gnustep-dev
