Hi, On 8/25/21 1:21 AM, Sean Whitton wrote:
From my point of view, signing git tags is no less well established a best practice than signing tarballs -- in fact, to me, it seems *more* well established.
That is ecosystem dependent.FWIW, I'd love to see git bundles as a source archive format -- this would allow shipping a (signed) tag, its commit, and the tree and blob objects for that commit as a single file that can be built in a reproducible way and allows changes on top to be easily tracked, including the branch point.
In the absence of an "official" upstream release tarball, using this format also makes it clear that this is a git snapshot, so no explanation is needed how that archive was created.
Simon
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature