Should we stop distributing source tarballs?
Heiko Becker
heiko.becker at kde.org
Thu Apr 4 16:45:30 BST 2024
On Thursday, 4 April 2024 13:07:42 CEST, Ben Cooksley wrote:
> [snip]
> As an additional aside - we don't currently GPG sign our Git tags, so there
> is nothing validating that the person who made the release is actually the
> person whose name is on it.
> With GPG signatures we can at least validate who owns the key.
We *do* sign the tags for KF, Plasma and Gear. And IIRC releasme defaults
to signing tags as well.
Regards,
Heiko
More information about the kde-devel
mailing list