Open Stack

On 02/10/2013 05:18 AM, Monty Taylor wrote:
> 
> 
> On 02/09/2013 02:17 PM, Mark McLoughlin wrote:
>> Hi Thomas,
>>
>> On Sun, 2013-02-10 at 01:41 +0800, Thomas Goirand wrote:
>>> As you may know, I am the person doing the packaging of Openstack in
>>> Debian. So uploading stuff in Debian is my responsibility. I've been
>>> trying to shout to everyone that they should be using PGP signed tags on
>>> Github, but the message doesn't seem to be received well enough, even
> 
> (small nit - this should be "PGP signed tags in git" - github has
> nothing to do with it)

Yeah! It just happens that absolutely all of Openstack (including python
modules) is hosted on github! :)

But you are right, if it was hosted somewhere else, I would ask the same
thing.

> I agree with Thomas that we should always sign tags in our projects -
> especially now that we're using those tags as the basis for automated
> releases.

And also: we don't use release tarballs in Debian, just the tags.

> We've discussed putting in checks for signed tags vs. unsigned when we
> do releases from tags

Unfortunately, this wont work, because the non-signed tags I've found
where mostly on non-core projects (eg: python modules). So there's only
one thing to do: educate everyone to use GnuPG and git tag -s.

> but I think that it might be harder to implement
> than the benefit - especially since it's a small set of people already
> who can push tags.

Do you know how to automate this kind of checks (besides doing git tag
-v <tag-name>)? Please share if you have some magic scripts, so that I
could incorporate this in openstack-pkg-tools debian/rules targets.

Cheers,

Thomas