Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: reproducing release tarball for 5.0.7
On Sat, 11 Oct 2014 02:19:08 +0200
Simon Ruderich <simon@xxxxxxxxxxxx> wrote:
> How do you feel about providing GPG signatures for the tarballs
> and the git tags? This would fix this issue and make it possible
> for everybody to verify zsh's releases. For example Debian has
> tools to automatically verify the upstream tarball after the
> download if upstream provides signatures. This allows maintainers
> to be sure they downloaded the correct tarball.
>
> If you like I could prepare a patch for the Makefile to sign the
> resulting tarballs, so a "make sign" is the only required action.
> For Git it's even easier, instead of git tag $tag, you can just
> use git tag -s -m 'optional message' $tag and it will be signed.
> I'm already using signed tags for the website.
Could do, guess we need a new key for this.
pws
Messages sorted by:
Reverse Date,
Date,
Thread,
Author