bug#66414: GNU ELPA: Require signed tags to release new package versions

[Stefan Kangas]

Severity: wishlist

I propose optionally releasing a new version of packages on
NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
it mandatory, at the very least not initially, because it would break
too many existing workflows.

The standard feature to do that in git would be a signed git tag.
However, (Non-)GNU ELPA currently rebuilds package tarballs every time
the "Version" comment header is updated, while git tags are ignored.

Forwarded from

    https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html