Open Stack

On Sun, 2013-02-10 at 08:21 +1100, Michael Still wrote:
> On Sun, Feb 10, 2013 at 4:41 AM, Thomas Goirand <zigo at debian.org> wrote:
> > Hi everyone!
> >
> > As you may know, I am the person doing the packaging of Openstack in
> > Debian. So uploading stuff in Debian is my responsibility. I've been
> > trying to shout to everyone that they should be using PGP signed tags on
> > Github, but the message doesn't seem to be received well enough, even
> > though core repositories are signed (I could check that ttx signature is
> > in all core projects, so we're safe here). But that's not truth for many
> > smaller python modules.
> 
> I had a play with this, but I haven't had a lot of luck. It turns out
> to sign a commit you can just do:
> 
>   git commit -a --gpg-sign
> 
> But the signature doesn't appear in git log output unless you use the
> --show-signature flag. I _think_ that means it wont end up getting
> sent to gerrit, so me signing locally isn't the most useful thing
> ever.
> 
> Am I misunderstanding something?

The question is about signing tags. As part of releasing modules, we do
e.g.:

  $> git tag -s 2012.2.3
  $> git push gerrit tag 2012.2.3

It sounds like we've failed to include '-s' when tagging some projects
in the past.

Cheers,
Mark.