>> and *Plan D* would be to start doing automatic per-project >> micro-versions on each commit: e.g. 2015.1.N where N is increased on >> each commit. > > How do you gpg sign these tags? I hope the solution isn't to store a key > in infra without a passphrase.
Plan D doesn't include git tags, 2015.1.N would be generated by PBR automatically. > FYI, I don't use tarballs (just git), and generate my own orig.tar.xz > out of a signed git tag, so I am not affected by this. We could generate it too but upstream SourceURL is preferred[1] so it can be easily verified. BTW there's an issue re. verification that https://tarballs.openstack.org/ is using cert for security.openstack.org but should be easily fixed by infra. Cheers, Alan [1] https://fedoraproject.org/wiki/Packaging:SourceURL __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev