From kde-devel Fri Apr 05 10:45:02 2024 From: Ingo =?ISO-8859-1?Q?Kl=F6cker?= Date: Fri, 05 Apr 2024 10:45:02 +0000 To: kde-devel Subject: Re: Should we stop distributing source tarballs? Message-Id: <5772736.DvuYhMxLoT () daneel> X-MARC-Message: https://marc.info/?l=kde-devel&m=171231377104531 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--nextPart6036644.lOV4Wx5bFT" --nextPart6036644.lOV4Wx5bFT Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii"; protected-headers="v1" From: Ingo =?ISO-8859-1?Q?Kl=F6cker?= To: kde-devel@kde.org Subject: Re: Should we stop distributing source tarballs? Date: Fri, 05 Apr 2024 12:45:02 +0200 Message-ID: <5772736.DvuYhMxLoT@daneel> MIME-Version: 1.0 On Freitag, 5. April 2024 12:04:28 CEST Albert Vaca Cintora wrote: > It seems a lot of people feel conservative in favor of tarballs, so > maybe I aimed too far. At least I think the discussion brought some > interesting points that we can explore further. Some I identified: > > - The tarballs should contain no changes with respect to git, or > minimal changes obviously justifiable in a diff. > - Tarballs should only be generated in a reproducible manner using > scripts. Ideally by the CI only. > - We should start to sign tarballs in the CI. We could easily add a new service for signing and publishing the tarballs to our CI/CD system. The necessary basic infrastructure has been added in the last few months as part of our migration from Binary Factory to GitLab. Regards, Ingo --nextPart6036644.lOV4Wx5bFT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iHUEABYKAB0WIQTbjgIOMowwlCBgvyGxb1mVFkdKugUCZg/WLgAKCRCxb1mVFkdK uqicAP0cRmJfgDbkg+CpC0wzX2p4u41TZiJA28ORt3JscJZLBgD9HzhojQLbqQcH NCSEXoRCyp2QHuvJIOAGFdSWWijtjg4= =xNYk -----END PGP SIGNATURE----- --nextPart6036644.lOV4Wx5bFT--