Hello Simon, On Wed 18 Aug 2021 at 10:10AM +02, Simon Josefsson wrote:
> 1) Trust paths. Some upstreams sign release tarballs with an OpenPGP > release key that Debian trust for making releases. Not all upstream > uses the same key to sign VCS tags/commits, and not all upstreams sign > VCS tags/commits at all. While Debian can encourage and promote new > policies for upstream here, I don't think we are in a position to > require any uniform set of rules. Signing tarballs is the current > established best practice -- moving to VCS builds needs a set of new > schemes to be established and deployed, and I don't see any single > universal solution today. From my point of view, signing git tags is no less well established a best practice than signing tarballs -- in fact, to me, it seems *more* well established. Of course, that's based on the kinds of upstreams I find myself interacting with, based on the package maintainance work I tend to be involved in. I don't mean to deny that it looks the other way around from other points of view. But I think either of us would be mistaken to take one of them to be more standard, at this point. -- Sean Whitton
signature.asc
Description: PGP signature
