Should we stop distributing source tarballs?

Heiko Becker heiko.becker at kde.org
Thu Apr 4 16:45:30 BST 2024


On Thursday, 4 April 2024 13:07:42 CEST, Ben Cooksley wrote:
> [snip]
> As an additional aside - we don't currently GPG sign our Git tags, so there
> is nothing validating that the person who made the release is actually the
> person whose name is on it.
> With GPG signatures we can at least validate who owns the key.

We *do* sign the tags for KF, Plasma and Gear. And IIRC releasme defaults 
to signing tags as well.

Regards,
Heiko


More information about the kde-devel mailing list