ANNOUNCE: xfce4-terminal 0.8.3 released
Landry Breuil
landry.breuil at gmail.com
Wed Jan 25 17:40:03 CET 2017
On Sun, Jan 22, 2017 at 12:59 AM, NicoHood <archlinux at nicohood.de> wrote:
> Hey Landry,
> a GPG key is something very sensible to keep secure. It cannot just be
> put on a release server that automatically signs the files. Or if so it
> needs to be super secured against any attacks.
>
> On the other hand it is super simple for the xfce developers to sign
> their tarballs. You can use my gpgit script or just sign the files on
> your own:
> gpg --armor --detach-sign xfcetool-1.0.0.tar.xz
>
> I am sorry, but all I can do is to kindly ask all maintainers to take
> the topic GPG signing serious. I already wrote a super simple script
> along with a dead simple gpg quick start documentation:
> https://github.com/NicoHood/gpgit
>
> I hope all developers can take those 5 minutes to generate a key and
> sign their sources.
Even if developers went through all those steps, nothing is planned in
the release manager so that one can upload the content of a gpg
signature when uploading a tarball.
So ppl would still have to upload/publish their gpg signature 'somewhere'...
So if you want things to happen in the publishing pipeline we use,
checkout https://git.xfce.org/www/moka, figure out how to add a field
to paste/upload a gpg signature, and get it commited..
Landry
More information about the Xfce
mailing list