On Tue, Nov 29, 2022, at 3:24 AM, Bob Hepple wrote:
Here's a question from one of my upstream devels. Not sure I
understand
exactly what he's asking but I thought I'd post here in the hope that
someone can enlighten him (and me!).
"... Arch supports signed git tags. I'm hoping Fedora does too.
I'm thinking of dropping this cumbersome process (i.e: signing and
pushing the `.sig` and `.tar.gz`) for the next release. Simply sign the
tag and create a release out of it. Can you please do a bit of research
on your side to see if that's possible?
https://github.com/cgwalters/git-evtag/ was created to address a few details around this.
Most of the people replying so far seem confused into thinking "git ==
internet", when this is clearly not true.
One can cache/lookaside git repositories in the same way one caches tarballs.
That said, there are some tricky things here around not wanting to need to validate the
entire git repository history, and handling cases where the git repository contains
significant code which isn't intended to be built and shipped.