Re: How does team maintenace of python module works?
On Wednesday, February 20, 2013 10:14:26 PM Thomas Goirand wrote:
> Upstream tarballs, in some cases, is a concept of the past. When
> they are released (sometimes, they simply don't exist), it may only
> an image based on a git tag. Then using Git tags is often better,
> because tags may be PGP signed. I live in China, and the Chinese
> government did twice some man in the middle attack... Tarballs
> don't include PGP signatures. Plus it's possible for me to tag at
> any point in time, any commit, and use that to generate a tarball.
In some cases, sure. For me, every package I maintain has a tarball release
and most, if not all, provide signatures for the tarball. GPG signed is not
an advantage for git tags. Anything can be signed.