GNU bug report logs -
#24461
Signing Emacs git release tags
Previous Next
To reply to this bug, email your comments to 24461 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Sun, 18 Sep 2016 18:13:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Rob Browning <rlb <at> defaultvalue.org>:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org.
(Sun, 18 Sep 2016 18:13:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Package: emacs
Severity: wishlist
Please consider creating signed git release tags, i.e. "git tag -s
... emacs-25.2".
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Sun, 18 Sep 2016 20:50:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 24461 <at> debbugs.gnu.org (full text, mbox):
>>>>> "RB" == Rob Browning <rlb <at> defaultvalue.org> writes:
RB> Please consider creating signed git release tags, i.e. "git tag -s ...
RB> emacs-25.2".
I would like to see that as well. I assume it's too late to sign the 25.1 tag.
--
John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Sun, 18 Sep 2016 21:11:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 24461 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
John Wiegley <jwiegley <at> gmail.com> writes:
> RB> Please consider creating signed git release tags, i.e. "git tag -s ...
> RB> emacs-25.2".
>
> I would like to see that as well. I assume it's too late to sign the
> 25.1 tag.
True, I think it's too late. My commits (including the one used for the
release) should all be signed though.
Cheers,
Nico
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Sun, 29 Sep 2019 04:27:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 24461 <at> debbugs.gnu.org (full text, mbox):
Nicolas Petton <nicolas <at> petton.fr> writes:
> John Wiegley <jwiegley <at> gmail.com> writes:
>
>> RB> Please consider creating signed git release tags, i.e. "git tag -s ...
>> RB> emacs-25.2".
>>
>> I would like to see that as well. I assume it's too late to sign the
>> 25.1 tag.
>
> True, I think it's too late. My commits (including the one used for the
> release) should all be signed though.
How about signing the release tags from 27.1 and onwards?
Best regards,
Stefan Kangas
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Sun, 29 Sep 2019 16:06:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 24461 <at> debbugs.gnu.org (full text, mbox):
Stefan Kangas <stefan <at> marxist.se> writes:
> Nicolas Petton <nicolas <at> petton.fr> writes:
>> True, I think it's too late. My commits (including the one used for the
>> release) should all be signed though.
>
> How about signing the release tags from 27.1 and onwards?
Hmm, hadn't thought about this -- I don't know what git would do if you
changed an unsigned tag to a signed tag without changing the hash. At a
minimum, I'd guess that people that already have the tag wouldn't fetch
the new one, but I don't know what else, if anything, git might do about
it (warn, fail, nothing, ...).
And of course, you wouldn't want to rely on whatever current git does
about it, unless that were upstream's intended/documented behavior.
(I suppose if it were deemed important enough, emacs-X.Y-sig tags or
something could be added for older releases, though the meaning of
those tags might be somewhat different.)
In any case, after originally filing this, I noticed that you had signed
commits, and I just rely on those now. So while it might still be nice
to have signed tags (too), it's not all that important to me anymore.
Thanks
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Sun, 29 Sep 2019 16:23:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 24461 <at> debbugs.gnu.org (full text, mbox):
Rob Browning <rlb <at> defaultvalue.org> writes:
> In any case, after originally filing this, I noticed that you had signed
> commits, and I just rely on those now. So while it might still be nice
> to have signed tags (too), it's not all that important to me anymore.
I think signing tags is different than signing commits. A signed tag
means you can have more trust that you are using the code with the
latest fix to security problem X, announced to have been released in
tagged Emacs version Y, and not code missing that fix.
Best regards,
Stefan Kangas
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Sun, 29 Sep 2019 17:25:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 24461 <at> debbugs.gnu.org (full text, mbox):
Stefan Kangas <stefan <at> marxist.se> writes:
> I think signing tags is different than signing commits. A signed tag
> means you can have more trust that you are using the code with the
> latest fix to security problem X, announced to have been released in
> tagged Emacs version Y, and not code missing that fix.
Fair enough -- I suppose without the signed tag, there's no way to be
completely sure that you have the right signed commit.
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Mon, 24 Jan 2022 10:39:01 GMT)
Full text and
rfc822 format available.
Message #26 received at 24461 <at> debbugs.gnu.org (full text, mbox):
Rob Browning <rlb <at> defaultvalue.org> writes:
> Please consider creating signed git release tags, i.e. "git tag -s
> ... emacs-25.2".
It's my understanding that we're going to start doing this starting with
emacs-28.1, but I may be misremembering. Stefan?
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Added tag(s) moreinfo.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Mon, 24 Jan 2022 10:40:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-gnu-emacs <at> gnu.org:
bug#24461; Package
emacs.
(Mon, 21 Feb 2022 14:28:02 GMT)
Full text and
rfc822 format available.
Message #31 received at 24461 <at> debbugs.gnu.org (full text, mbox):
Lars Ingebrigtsen <larsi <at> gnus.org> writes:
> Rob Browning <rlb <at> defaultvalue.org> writes:
>
>> Please consider creating signed git release tags, i.e. "git tag -s
>> ... emacs-25.2".
>
> It's my understanding that we're going to start doing this starting with
> emacs-28.1, but I may be misremembering. Stefan?
Yes, this is planned, but hasn't been implemented yet, as far as I can
tell from the make-tarball.txt file...
--
(domestic pets only, the antidote for overdose, milk.)
bloggy blog: http://lars.ingebrigtsen.no
Removed tag(s) moreinfo.
Request was from
Lars Ingebrigtsen <larsi <at> gnus.org>
to
control <at> debbugs.gnu.org.
(Mon, 21 Mar 2022 18:32:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 84 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.