Should we stop distributing source tarballs?
Ingo Klöcker
kloecker at kde.org
Fri Apr 5 11:45:02 BST 2024
On Freitag, 5. April 2024 12:04:28 CEST Albert Vaca Cintora wrote:
> It seems a lot of people feel conservative in favor of tarballs, so
> maybe I aimed too far. At least I think the discussion brought some
> interesting points that we can explore further. Some I identified:
>
> - The tarballs should contain no changes with respect to git, or
> minimal changes obviously justifiable in a diff.
> - Tarballs should only be generated in a reproducible manner using
> scripts. Ideally by the CI only.
> - We should start to sign tarballs in the CI.
We could easily add a new service for signing and publishing the tarballs to
our CI/CD system. The necessary basic infrastructure has been added in the
last few months as part of our migration from Binary Factory to GitLab.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-devel/attachments/20240405/31efe3f3/attachment.sig>
More information about the kde-devel
mailing list