On Fri 2019-03-22 09:32:55 +0100, Lucas Nussbaum wrote:
> I'm probably missing something, but it doesn't sound like a lot of work
> to me? It's "just" a service that:
> - gets notified of the existence of a git repo + tag to upload
> - fetches that git repo + tag
> - checks signature / confirm that the GPG key owner is allowed to upload
> that package
In case anyone is considering trying to do this, please be aware that
there are several non-obvious subtleties involved in "verifying a git
tag".
https://public-inbox.org/git/875zsdu41d.fsf@fifthhorseman.net/
use caution!
--dkg
Attachment:
signature.asc
Description: PGP signature