bug#66414: GNU ELPA: Require signed tags to release new package versions

[Philip Kaludercic]

Stefan Kangas <stefankangas@gmail.com> writes:

> Severity: wishlist
>
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.

I am not sure what the context here is, so sorry for the potentially
stupid question, but what PGP signatures are we talking about?  Are you
suggesting that the commit should be signed?

> The standard feature to do that in git would be a signed git tag.
> However, (Non-)GNU ELPA currently rebuilds package tarballs every time
> the "Version" comment header is updated, while git tags are ignored.
>
> Forwarded from
>
>     https://lists.gnu.org/r/emacs-devel/2023-02/msg00120.html