GNU bug report logs - #66414
GNU ELPA: Require signed tags to release new package versions

Previous Next

Package: emacs;

Reported by: Stefan Kangas <stefankangas <at> gmail.com>

Date: Mon, 9 Oct 2023 07:17:02 UTC

Severity: wishlist

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Stefan Kangas <stefankangas <at> gmail.com>
Cc: 66414 <at> debbugs.gnu.org, philipk <at> posteo.net, yantar92 <at> posteo.net
Subject: bug#66414: GNU ELPA: Require signed tags to release new package versions
Date: Mon, 09 Oct 2023 17:52:34 -0400

> I propose optionally releasing a new version of packages on
> NonGNU/GNU ELPA only if there is a valid PGP signature.  We can't make
> it mandatory, at the very least not initially, because it would break
> too many existing workflows.

No objection on my side.  The first step would presumably be to change
the synchronization scripts (the ones run by `elpasync` on
`elpa.gnu.org`) so as to propagate upstream tags to `elpa.git`.

The (Non)GNU ELPA tarballs are built from `elpa.git` and `nongnu.git`,
not from the upstream repositories, and currently those do not
contain upstream tags.

And since those repos contain many packages, the upstream tags need to
be renamed or moved to a different namespace to avoid conflicts between
tag names in different packages.

After that, we need to add the feature to be able to build releases from
tags rather than from "the commit where `Version:` was changed".

And after that, we can add a feature that checks that the tags are
signed (and that the signature is valid and made by the appropriate
persons/keys).


        Stefan
This bug report was last modified 1 year and 249 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.