On Wednesday, February 20, 2013 10:14:26 PM Thomas Goirand wrote: > Upstream tarballs, in some cases, is a concept of the past. When > they are released (sometimes, they simply don't exist), it may only > an image based on a git tag. Then using Git tags is often better, > because tags may be PGP signed. I live in China, and the Chinese > government did twice some man in the middle attack... Tarballs > don't include PGP signatures. Plus it's possible for me to tag at > any point in time, any commit, and use that to generate a tarball.
In some cases, sure. For me, every package I maintain has a tarball release and most, if not all, provide signatures for the tarball. GPG signed is not an advantage for git tags. Anything can be signed. Scott K -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/24754993.i0WrSetHUW@scott-latitude-e6320
