[openstack-dev] [all] [stable] No longer doing stable point releases
Alan Pevec
apevec at gmail.com
Sun Jun 7 22:25:47 UTC 2015
>> and *Plan D* would be to start doing automatic per-project
>> micro-versions on each commit: e.g. 2015.1.N where N is increased on
>> each commit.
>
> How do you gpg sign these tags? I hope the solution isn't to store a key
> in infra without a passphrase.
Plan D doesn't include git tags, 2015.1.N would be generated by PBR
automatically.
> FYI, I don't use tarballs (just git), and generate my own orig.tar.xz
> out of a signed git tag, so I am not affected by this.
We could generate it too but upstream SourceURL is preferred[1] so it
can be easily verified.
BTW there's an issue re. verification that
https://tarballs.openstack.org/ is using cert for
security.openstack.org but should be easily fixed by infra.
Cheers,
Alan
[1] https://fedoraproject.org/wiki/Packaging:SourceURL
More information about the OpenStack-dev
mailing list