-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signing of git objects #417
Comments
I have been a happy user of Arch Linux for many years. |
I'm happy to hear! 🙇
That is fine (the signing is part of the creation). As such, it is preferred to not re-create existing tags, as that usually breaks reproducibility downstream.
I see! That's understandable. I hope a trustworthy and capable person can be found! If I may suggest one thing for this scenario then: Please make sure to establish cryptographic trust between yourself and whoever will craft releases after you. This can be done by e.g. adding a third-party certification for that person's OpenPGP certificate (aka. "signing a key") and publishing the updated OpenPGP certificate on relevant keyservers, or by adding the OpenPGP fingerprint of that person's OpenPGP certificate to a file in this repository (e.g. README, MAINTAINERS or similar) in a signed commit. |
@dvzrv, in a few days' time I'm going to start an email discussion between a number of people who are interested in the long-term future of PCRE2. If you would like to be part of this, please let me have a suitable email address. |
Hi! 👋
I package pcre2 for Arch Linux.
We are currently attempting to make an effort to switch to "more transparent sources" for our packages. More specifically this means, that we would like to circumvent relying on custom source tarballs.
In the case of pcre2 we are currently relying on custom source tarballs, because we can verify them using an OpenPGP signature.
In the past this was more relevant where source tarballs were e.g. downloaded from a separate webserver.
However, for packaging purposes we are able to rely on git sources directly as well and for transparency reasons we would actually prefer that over custom source tarballs.
The only thing missing for this to happen is signed tags (currently all tags are plain tags - not created with
-s
/--sign
).If it would be possible to create signed tags going forward (using the same OpenPGP key that is also used for signing the source tarballs currently), that would be much appreciated! 🙏
The text was updated successfully, but these errors were encountered: