On Freitag, 5. April 2024 12:04:28 CEST Albert Vaca Cintora wrote: > It seems a lot of people feel conservative in favor of tarballs, so > maybe I aimed too far. At least I think the discussion brought some > interesting points that we can explore further. Some I identified: > > - The tarballs should contain no changes with respect to git, or > minimal changes obviously justifiable in a diff. > - Tarballs should only be generated in a reproducible manner using > scripts. Ideally by the CI only. > - We should start to sign tarballs in the CI.
We could easily add a new service for signing and publishing the tarballs to our CI/CD system. The necessary basic infrastructure has been added in the last few months as part of our migration from Binary Factory to GitLab. Regards, Ingo
signature.asc
Description: This is a digitally signed message part.
