On Mon, Apr 1, 2024 at 11:06 AM Michael Richardson <m...@sandelman.ca> wrote:
> > Bill Fenner <fen...@gmail.com> wrote: > > mcr suggested: > >> I wonder if we should nuke our own make tarball system. > > > The creation of a tarball and its signature gives a place to hang > one's hat > > about origin of code - "someone with the right key claims that this > tarball > > genuinely reflects what the project wants to distribute". Is there a > > similar mechanism for a git tag? > > Yes, git tag -s, lets you sign a commit with a PGP key. > Just trying to brainstorm about how this fits with build systems like Arista's, where we store the tarball and check the signature at build time - I suppose it just turns into "vendor the git tag into a local repo and check the signature at build time". I have no objection to either requiring people to have autotools, or going cmake-only. (I mean, I personally find cmake hard to use, but that shouldn't influence what the project does.) Bill _______________________________________________ tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s