[openstack-dev] Please do use PGP and PGP signed tags!

Monty Taylor mordred at inaugust.com
Sat Feb 9 21:18:24 UTC 2013



On 02/09/2013 02:17 PM, Mark McLoughlin wrote:
> Hi Thomas,
> 
> On Sun, 2013-02-10 at 01:41 +0800, Thomas Goirand wrote:
>> As you may know, I am the person doing the packaging of Openstack in
>> Debian. So uploading stuff in Debian is my responsibility. I've been
>> trying to shout to everyone that they should be using PGP signed tags on
>> Github, but the message doesn't seem to be received well enough, even

(small nit - this should be "PGP signed tags in git" - github has
nothing to do with it)

>> though core repositories are signed (I could check that ttx signature is
>> in all core projects, so we're safe here). But that's not truth for many
>> smaller python modules.
> 
> Care to share specific examples?

I agree with Thomas that we should always sign tags in our projects -
especially now that we're using those tags as the basis for automated
releases.

We've discussed putting in checks for signed tags vs. unsigned when we
do releases from tags, but I think that it might be harder to implement
than the benefit - especially since it's a small set of people already
who can push tags.

Short story - if you're tagging something - please always use:

  git tag -s

Monty



More information about the OpenStack-dev mailing list