[openstack-dev] Please do use PGP and PGP signed tags!
Thierry Carrez
thierry at openstack.org
Sun Feb 10 09:33:40 UTC 2013
Thomas Goirand wrote:
>> (small nit - this should be "PGP signed tags in git" - github has
>> nothing to do with it)
>
> Yeah! It just happens that absolutely all of Openstack (including python
> modules) is hosted on github! :)
It's actually hosted on review.openstack.org, and mirrored to github :)
>> We've discussed putting in checks for signed tags vs. unsigned when we
>> do releases from tags
>
> Unfortunately, this wont work, because the non-signed tags I've found
> where mostly on non-core projects (eg: python modules). So there's only
> one thing to do: educate everyone to use GnuPG and git tag -s.
All openstack projects use (or should use, starting next week) tags to
trigger releases, not just "core" projects. That includes python
modules. So checking that those tags are signed as part of the
tag-to-release tooling is actually a good thing. That wouldn't prevent
people with the ability to push tags to push unsigned tags, but at least
those would not generate a release.
Cheers,
--
Thierry Carrez (ttx)
Release Manager, OpenStack
More information about the OpenStack-dev
mailing list