[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How does team maintenace of python module works?

On Wednesday, February 20, 2013 10:14:26 PM Thomas Goirand wrote:
> Upstream tarballs, in some cases, is a concept of the past. When
> they are released (sometimes, they simply don't exist), it may only
> an image based on a git tag. Then using Git tags is often better,
> because tags may be PGP signed. I live in China, and the Chinese
> government did twice some man in the middle attack... Tarballs
> don't include PGP signatures. Plus it's possible for me to tag at
> any point in time, any commit, and use that to generate a tarball.

In some cases, sure.  For me, every package I maintain has a tarball release 
and most, if not all, provide signatures for the tarball.  GPG signed is not 
an advantage for git tags.  Anything can be signed.

Scott K

Reply to: