'Change to release flows for non-centrally released projects'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Change to release flows for non-centrally released projects
From:       Ben Cooksley <bcooksley () kde ! org>
Date:       2023-11-11 21:04:37
Message-ID: CA+XidOG4VbKVKt7kQRn=nfbtZz0a_Ur+PhbzMTMmp_-vivUAoQ () mail ! gmail ! com
[Download RAW message or body]

Hi all,

For some time now the workflow for independently released KDE software
(that is, projects outside of Frameworks, Plasma and Gear) has been to
upload it to ftp://upload.kde.org/incoming/ and then file a Sysadmin ticket
(with the file hashes and destination)

There has now been a small change to that workflow, where our tooling that
validates the hashes will now also be validating GPG signatures where they
are provided. For tarballs it is expected that you provide a GPG signature
(*.sig), but these won't be required for binary packages.

GPG signatures will be validated against a keyring built from the keys
located at https://invent.kde.org/sysadmin/release-keyring/ - so you will
now need to have your key added there in advance of filing a Sysadmin
ticket to have your release published.

Please send a merge request to that repository with your key(s) following
the format of $gitlabUsername@keyX.asc to have them added.

Many thanks,
Ben

[Attachment #3 (text/html)]

<div dir="ltr">Hi all,<div><br></div><div>For some time now the workflow for independently \
released KDE software (that is, projects outside of Frameworks, Plasma and Gear) has been to \
upload it to <a href="ftp://upload.kde.org/incoming/">ftp://upload.kde.org/incoming/</a> and \
then file a Sysadmin ticket (with the file hashes and \
destination)</div><div><br></div><div>There has now been a small change to that workflow, where \
our tooling that validates the hashes will now also be validating GPG signatures where they are \
provided. For tarballs it is expected that you provide a GPG signature (*.sig), but these \
won&#39;t be required for binary packages.</div><div><br></div><div>GPG signatures will be \
validated against a keyring built from the keys located at  <a \
href="https://invent.kde.org/sysadmin/release-keyring/">https://invent.kde.org/sysadmin/release-keyring/</a> \
- so you will now need to have your key added there in advance of filing a Sysadmin ticket to \
have your release published.</div><div><br></div><div>Please send a merge request to that \
repository with your key(s) following the format of $gitlabUsername@keyX.asc to have them \
added.</div><div><br></div><div>Many thanks,</div><div>Ben</div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic