Limiting who can create v${NUMBER}.${NUMBER}.${NUMBER} tags in KDE Applications git repos
Ben Cooksley
bcooksley at kde.org
Mon Jun 25 08:33:39 UTC 2018
On Mon, Jun 25, 2018 at 6:57 PM, Rolf Eike Beer
<kde at opensource.sf-tec.de> wrote:
> Am 2018-06-24 22:56, schrieb Albert Astals Cid:
>>
>> Hi, would anyone be against limiting who can create
>> v${NUMBER}.${NUMBER}.${NUMBER}
>> i.e. tags that look like our release tags to members of the release team
>> for
>> the KDE Applications git repositories?
>>
>> Rationale: Some distros build from git tags so creating a "release looking
>> tag" is for them like "using the release tarball" and we already limit who
>> can
>> upload release tarballs to the download.kde.org so it would be a similar
>> restriction but for the git side.
>
>
> This sounds sane to me. Simply require those tags to be signed by
> $key_in_known_good_list.
Given the recent security issues surrounding interaction with GPG done
by external programs, I would rather not perform key verification.
>
> Eike
Cheers,
Ben
More information about the release-team
mailing list