On Mon, Jun 25, 2018 at 6:57 PM, Rolf Eike Beer <[email protected]> wrote: > Am 2018-06-24 22:56, schrieb Albert Astals Cid: >> >> Hi, would anyone be against limiting who can create >> v${NUMBER}.${NUMBER}.${NUMBER} >> i.e. tags that look like our release tags to members of the release team >> for >> the KDE Applications git repositories? >> >> Rationale: Some distros build from git tags so creating a "release looking >> tag" is for them like "using the release tarball" and we already limit who >> can >> upload release tarballs to the download.kde.org so it would be a similar >> restriction but for the git side. > > > This sounds sane to me. Simply require those tags to be signed by > $key_in_known_good_list.
Given the recent security issues surrounding interaction with GPG done by external programs, I would rather not perform key verification. > > Eike Cheers, Ben
