Am 05.04.24 um 06:25 schrieb Juraj Oravec:
On streda 3. apríla 2024 18:34:04 CEST Albert Vaca Cintora wrote:
Hi KDE folks,
The recent xz backdoor scandal made me realize how bad and obsolete
distributing tarballs is. The source of truth for our code are the
repositories, and releases can simply
On piatok 5. apríla 2024 9:04:14 CEST Tobias Leupold wrote:
> Am 05.04.24 um 06:25 schrieb Juraj Oravec:
> > Hello Albert,
> >
> > The release tarballs can be signed with GPG (or is it PGP?) which
> > provide another layer of protection to make sure the release is
> > authenthic.
> >
> > If KDE w
It seems a lot of people feel conservative in favor of tarballs, so
maybe I aimed too far. At least I think the discussion brought some
interesting points that we can explore further. Some I identified:
- The tarballs should contain no changes with respect to git, or
minimal changes obviously just
On Freitag, 5. April 2024 12:04:28 CEST Albert Vaca Cintora wrote:
> It seems a lot of people feel conservative in favor of tarballs, so
> maybe I aimed too far. At least I think the discussion brought some
> interesting points that we can explore further. Some I identified:
>
> - The tarballs sho
On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> It seems a lot of people feel conservative in favor of tarballs, so
> maybe I aimed too far. At least I think the discussion brought some
> interesting points that we can explore further. Some I identified:
>
> - The tarballs s
On Friday, 5 April 2024 12:04:28 CEST, Albert Vaca Cintora wrote:
It seems a lot of people feel conservative in favor of tarballs, so
maybe I aimed too far. At least I think the discussion brought some
interesting points that we can explore further. Some I identified:
- The tarballs should conta
Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > - Tarballs should only be generated in a reproducible manner using
> > scripts. Ideally by the CI only.
> > - We should start to sign tarballs in the CI.
>
> I d
On Sat, Apr 6, 2024 at 1:43 AM Heiko Becker wrote:
> On Friday, 5 April 2024 12:04:28 CEST, Albert Vaca Cintora wrote:
> > It seems a lot of people feel conservative in favor of tarballs, so
> > maybe I aimed too far. At least I think the discussion brought some
> > interesting points that we can
On Sat, Apr 6, 2024 at 4:23 AM Johannes Zarl-Zierl
wrote:
> Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan:
> > On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote:
> > > - Tarballs should only be generated in a reproducible manner using
> > > scripts. Ideally by the
