ask github to encourage signed git tags

To: debian-devel@lists.debian.org
Cc: Daniel Kahn Gillmor <dkg@debian.org>
Subject: ask github to encourage signed git tags
From: Thomas Koch <thomas@koch.ro>
Date: Fri, 21 Aug 2015 09:51:45 +0200
Message-id: <[🔎] 1753364.fj7ok5knD4@x121e>
Reply-to: thomas@koch.ro

Hi,

we want upstream to sign releases. Nowadays a lot of software is on github and 
a release is just a git tag. - An unsigned git tag ... :-(

Github has a site that shows tags[1] but it does not give any indication 
whether the tag is signed or not.
[1] e.g. https://github.com/Flameeyes/unpaper/tags

Github should add visual feedback on this tags page: grey for unsigned, yellow 
for signed and green for signed and connected to the web-of-trust. Next to a 
grey or yellow tag there should be links to help texts.

I expect that this would help to increase the usage of signed git tags.

I asked github.com/contact to do this more than a year ago. - No response. 
What, if the debian project together with others would request this through a 
more official channel?

Yes, github is proprietary. Still it would be in the best interest of 
everybody if software was signed. Even github would not want to host malicious 
code.

Does anybody have contact to github?

Thomas Koch

Reply to:

Follow-Ups:
- Re: ask github to encourage signed git tags
  - From: Timo Weingärtner <timo@tiwe.de>
- Re: ask github to encourage signed git tags
  - From: Asheesh Laroia <asheesh@asheesh.org>

Prev by Date: Bug#796289: ITP: python-eta -- python module to generate progress bar for CLI
Next by Date: Re: ask github to encourage signed git tags
Previous by thread: Bug#796289: ITP: python-eta -- python module to generate progress bar for CLI
Next by thread: Re: ask github to encourage signed git tags
Index(es):
- Date
- Thread