On Sat, Feb 19, 2011 at 02:51:42PM +0100, Martin Pitt wrote: > Martin Pool [2011-02-17 18:02 +1100]: > > <https://dev.launchpad.net/LEP/BuildFromBranchIntoPrimary>
> > How do we distinguish commits that ought to be built from those that > > don't? > A very common workflow for packages is to commit the actual changes to > the package while keeping the upload target as "UNRELEASED". Once you > want to upload it, you do "dch -r" to flip the upload target to > "natty" (or maverick-proposed, etc.), and commit that change with > "debcommit -r", which will also tag the revision with the package > version number. In order to fulfill the "at least as secure" > requirement, we'd need to additionally GPG-sign that "release" commit. > So IMHO a package should be built on each commit which has a tag and a > GPG signature. That sounds reasonable to me. How do you gpg sign a tag in bzr? I've never seen any information about this in the UDD documentation. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
signature.asc
Description: Digital signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel