[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Signing git tags for releases
From: |
Stefan Kangas |
Subject: |
Signing git tags for releases |
Date: |
Thu, 2 Dec 2021 16:06:33 -0800 |
I would like to suggest that we start signing git tags in our
repository. This would give greater confidence that a particular commit
is in fact the one corresponding to a particular release (e.g. the one
with some security fix and not an older one).
It is not strictly necessary in the sense that we are okay as-is, but I
think it's good form and a generally accepted best practice. For
context, see also the previous discussion in Bug#24461.
AFAIK, this will not require any action on behalf of anyone except the
person making our releases, unless they specifically want to verify some
signed git tag with "git tag -v TAG". In that case, they will obviously
first need to fetch the corresponding public key.
Unless I am overlooking something, the necessary documentation changes
will be in make-tarball.txt only. See the attached diff.
If there are no objections to this plan, I hope to start doing this
from Emacs 28.0.91 (the second pretest release) and onward.
sign.diff
Description: Text Data
- Signing git tags for releases,
Stefan Kangas <=
- Re: Signing git tags for releases, Teemu Likonen, 2021/12/03
- Re: Signing git tags for releases, Lars Ingebrigtsen, 2021/12/03
- Re: Signing git tags for releases, Stefan Kangas, 2021/12/08
- Re: Signing git tags for releases, Eli Zaretskii, 2021/12/09
- Re: Signing git tags for releases, Stefan Kangas, 2021/12/26
- Re: Signing git tags for releases, Eli Zaretskii, 2021/12/26
- Re: Signing git tags for releases, Stefan Kangas, 2021/12/26
- Re: Signing git tags for releases, Eli Zaretskii, 2021/12/27