[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Should we stop distributing source tarballs?
From: Carl Schwan <carl () carlschwan ! eu>
Date: 2024-04-05 11:45:35
Message-ID: 2094246.unRoLBNdcd () fedora
[Download RAW message or body]
On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> It seems a lot of people feel conservative in favor of tarballs, so
> maybe I aimed too far. At least I think the discussion brought some
> interesting points that we can explore further. Some I identified:
>
> - The tarballs should contain no changes with respect to git, or
> minimal changes obviously justifiable in a diff.
I would argue that there should be no change at all. Adapting the versions and
adding the version to the AppStream file should be done in a git commit and not
done in the tarball. This is already done by everyone using releaseme and
following the steps from https://community.kde.org/ReleasingSoftware
> - Tarballs should only be generated in a reproducible manner using
> scripts. Ideally by the CI only.
> - We should start to sign tarballs in the CI.
I disagree. I want my tarball to be signed with my GPG key stored in my Yubiky
and not by a generic KDE key. It should be a proof that I as a maintainer of a
project did the release and not someone else. Same with the upload to
download.kde.org, while this adds some overhead in the process, I think it is
important that KDE Sysadmins are the one who move the tarball to their final
location and do some minimal check (checksum match, it's not a random person
doing the release, ...).
> - We should start to sign commits and tags. Git recently made this
> super easy by allowing signing with the ssh keys that we all are
> already using to push things, so no excuses for not enabling this.
> Sample config below:
>
> [user]
> signingkey = <path to your public key>
> [commit]
> gpgsign = true
> [gpg]
> format = ssh
> [tag]
> forceSignAnnotated = true
+1 git tags are already signed for people following the releaseme workflow.
Signing commits is also good and I encourage everyone to do it but I wouldn't
make it a requirement as it increases the barrier to contribution for new
contributors.
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic