bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#66414: GNU ELPA: Require signed tags to release new package versions

From: Stefan Monnier
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Date: Mon, 09 Oct 2023 17:52:34 -0400
User-agent: Gnus/5.13 (Gnus v5.13) 
> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.

No objection on my side.  The first step would presumably be to change
the synchronization scripts (the ones run by `elpasync` on
`elpa.gnu.org`) so as to propagate upstream tags to `elpa.git`.

The (Non)GNU ELPA tarballs are built from `elpa.git` and `nongnu.git`,
not from the upstream repositories, and currently those do not
contain upstream tags.

And since those repos contain many packages, the upstream tags need to
be renamed or moved to a different namespace to avoid conflicts between
tag names in different packages.

After that, we need to add the feature to be able to build releases from
tags rather than from "the commit where `Version:` was changed".

And after that, we can add a feature that checks that the tags are
signed (and that the signature is valid and made by the appropriate
persons/keys).


        Stefan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]