Quoting Adrian Knoth (2013-09-04 01:23:30) > On 08/24/2013 10:48 AM, mira-gu...@users.alioth.debian.org wrote: > > Hi! > > > > commit 9a0cdc0c43b2174759f6e342d811ad801a70d24a > > Author: Jaromír Mikeš <mira.mi...@seznam.cz> > > Date: Sat Aug 24 10:50:18 2013 +0200 > > > > Don't sign tags. > > > > diff --git a/debian/gbp.conf b/debian/gbp.conf > > index 2c53314..8dd9bb3 100644 > > --- a/debian/gbp.conf > > +++ b/debian/gbp.conf > > @@ -1,8 +1,5 @@ > > -# Configuration file for git-buildpackage and friends > > - > > [DEFAULT] > > pristine-tar = True > > -sign-tags = True > > Why? I thought signing the import and release tags helps us establishing > a trust chain from the source to the final package. > > If I sign the import, I'm saying "It was really me, it's not fake, and I > think it's the correct source code. Blame me if it isn't." > > Same for the release tag: "I've reviewed the changes and feel > comfortable with all of them. I'm the maintainer, I've double-checked > everything." > > > > Just wondering...
Because one person in the team find it annoying for his special setup, and one other person don't find it relevant to sign. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
