[SCM] ardour3/master: Don't sign tags.
Jonas Smedegaard
dr at jones.dk
Wed Sep 4 08:31:09 UTC 2013
Quoting Adrian Knoth (2013-09-04 01:23:30)
> On 08/24/2013 10:48 AM, mira-guest at users.alioth.debian.org wrote:
>
> Hi!
>
>
> > commit 9a0cdc0c43b2174759f6e342d811ad801a70d24a
> > Author: Jaromír Mikeš <mira.mikes at seznam.cz>
> > Date: Sat Aug 24 10:50:18 2013 +0200
> >
> > Don't sign tags.
> >
> > diff --git a/debian/gbp.conf b/debian/gbp.conf
> > index 2c53314..8dd9bb3 100644
> > --- a/debian/gbp.conf
> > +++ b/debian/gbp.conf
> > @@ -1,8 +1,5 @@
> > -# Configuration file for git-buildpackage and friends
> > -
> > [DEFAULT]
> > pristine-tar = True
> > -sign-tags = True
>
> Why? I thought signing the import and release tags helps us establishing
> a trust chain from the source to the final package.
>
> If I sign the import, I'm saying "It was really me, it's not fake, and I
> think it's the correct source code. Blame me if it isn't."
>
> Same for the release tag: "I've reviewed the changes and feel
> comfortable with all of them. I'm the maintainer, I've double-checked
> everything."
>
>
>
> Just wondering...
Because one person in the team find it annoying for his special setup,
and one other person don't find it relevant to sign.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20130904/1d217ba4/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list