[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#66414: GNU ELPA: Require signed tags to release new package versions
|
From: |
Philip Kaludercic |
|
Subject: |
bug#66414: GNU ELPA: Require signed tags to release new package versions |
|
Date: |
Mon, 09 Oct 2023 09:39:08 +0000 |
Stefan Kangas <stefankangas@gmail.com> writes:
> Philip Kaludercic <philipk@posteo.net> writes:
>
>> Stefan Kangas <stefankangas@gmail.com> writes:
>>
>>> Severity: wishlist
>>>
>>> I propose optionally releasing a new version of packages on
>>> NonGNU/GNU ELPA only if there is a valid PGP signature. We can't make
>>> it mandatory, at the very least not initially, because it would break
>>> too many existing workflows.
>>
>> I am not sure what the context here is, so sorry for the potentially
>> stupid question, but what PGP signatures are we talking about? Are you
>> suggesting that the commit should be signed?
>
> Yes, see the very next sentence:
>
>>> The standard feature to do that in git would be a signed git tag.
>
> Sorry for not being more clear.
No, my bad. I didn't know that git tags could be signed, so I misread
the sentence.
One issue might be that elpa-admin.el doesn't really do anything with
git tags, though I guess it should be possible to verify a remote git
tag? An alternative might be to check for signed git commits, at the
very least for the commits that bump the version tag. That way all the
could be kept in elpa.git.