On Fri 2019-03-22 09:32:55 +0100, Lucas Nussbaum wrote: > I'm probably missing something, but it doesn't sound like a lot of work > to me? It's "just" a service that: > - gets notified of the existence of a git repo + tag to upload > - fetches that git repo + tag > - checks signature / confirm that the GPG key owner is allowed to upload > that package In case anyone is considering trying to do this, please be aware that there are several non-obvious subtleties involved in "verifying a git tag". https://public-inbox.org/git/875zsdu41d.fsf@fifthhorseman.net/ use caution! --dkg
Attachment:
signature.asc
Description: PGP signature