[SCM] ardour3/master: Don't sign tags.
Adrian Knoth
adi at drcomp.erfurt.thur.de
Tue Sep 3 23:23:30 UTC 2013
On 08/24/2013 10:48 AM, mira-guest at users.alioth.debian.org wrote:
Hi!
> commit 9a0cdc0c43b2174759f6e342d811ad801a70d24a
> Author: Jaromír Mikeš <mira.mikes at seznam.cz>
> Date: Sat Aug 24 10:50:18 2013 +0200
>
> Don't sign tags.
>
> diff --git a/debian/gbp.conf b/debian/gbp.conf
> index 2c53314..8dd9bb3 100644
> --- a/debian/gbp.conf
> +++ b/debian/gbp.conf
> @@ -1,8 +1,5 @@
> -# Configuration file for git-buildpackage and friends
> -
> [DEFAULT]
> pristine-tar = True
> -sign-tags = True
Why? I thought signing the import and release tags helps us establishing
a trust chain from the source to the final package.
If I sign the import, I'm saying "It was really me, it's not fake, and I
think it's the correct source code. Blame me if it isn't."
Same for the release tag: "I've reviewed the changes and feel
comfortable with all of them. I'm the maintainer, I've double-checked
everything."
Just wondering...
Cheers
More information about the pkg-multimedia-maintainers
mailing list