It seems a lot of people feel conservative in favor of tarballs, so maybe I aimed too far. At least I think the discussion brought some interesting points that we can explore further. Some I identified:
- The tarballs should contain no changes with respect to git, or minimal changes obviously justifiable in a diff. - Tarballs should only be generated in a reproducible manner using scripts. Ideally by the CI only. - We should start to sign tarballs in the CI. - We should start to sign commits and tags. Git recently made this super easy by allowing signing with the ssh keys that we all are already using to push things, so no excuses for not enabling this. Sample config below: [user] signingkey = <path to your public key> [commit] gpgsign = true [gpg] format = ssh [tag] forceSignAnnotated = true