Web lists-archives.com

Re: Discussion on eventual transition away from source packages




On Fri 2019-03-22 09:32:55 +0100, Lucas Nussbaum wrote:
> I'm probably missing something, but it doesn't sound like a lot of work
> to me? It's "just" a service that:
> - gets notified of the existence of a git repo + tag to upload
> - fetches that git repo + tag
> - checks signature / confirm that the GPG key owner is allowed to upload
>   that package

In case anyone is considering trying to do this, please be aware that
there are several non-obvious subtleties involved in "verifying a git
tag".

   https://public-inbox.org/git/875zsdu41d.fsf@xxxxxxxxxxxxxxxxx/

use caution!

    --dkg

Attachment: signature.asc
Description: PGP signature