Hi,
2015-08-21 09:51:45 Thomas Koch:
> we want upstream to sign releases. Nowadays a lot of software is on github
> and a release is just a git tag. - An unsigned git tag ... :-(
>
> Github has a site that shows tags[1] but it does not give any indication
> whether the tag is signed or not.
> [1] e.g. https://github.com/Flameeyes/unpaper/tags
>
> Github should add visual feedback on this tags page: grey for unsigned,
> yellow for signed and green for signed and connected to the web-of-trust.
> Next to a grey or yellow tag there should be links to help texts.
Connected to the WOT means the strong set?
While I think signed tags are enough, many things rely on signed tarballs.
github should thus also allow uploading signatures for the tarball generated
from the (signed) tags and provide instructions for how to generate the
tarballs yourself.
I can generate github-identical tarballs with:
$ git archive --prefix="${PROJECT}-${TAG}/" -o "${HOME}/build-area/${PROJECT}_${TAG}.orig.tar.gz" "${TAG}"
> Yes, github is proprietary. Still it would be in the best interest of
> everybody if software was signed. Even github would not want to host
> malicious code.
Signed software does not imply non-malicious code.
Regards
TimoAttachment:
signature.asc
Description: This is a digitally signed message part.