Thanks for checking in. Sorry for not being fully clear.
В Thu, 07 Dec 2017 22:57:39 +0000, Ivan Vučica написа:
> Actual signature *will* be performed with the correct maintainer GPG
I don't quite understand this sentence -- does it mean that the actual
tag/release at the official GitHub GNUstep repository will be signed
with the GNUstep maintainer key and you only used your key for the
preview release? If so, it makes perfect sense.
I will sign the tag with my personal key (otherwise GH would not display it as verified) and I will sign the tarball with the shared maintainer key, as is the usual practice.
If I understood everything correctly, the .tar.gz and the accompanied
.sig as generated from the git tag on GitHub will be exactly the same
as those published at ftp.gnustep.org. How quickly will the files
propagate to ftp.gnustep.org? Do we (Debian) have to adjust the
(tar.gz/.sig) location to GitHub or we can continue to use
Anything published on Github is merely a convenience. Long-term plan is still to move away from Github as the main repo due to concerns in the community. No time estimates on that, however.
The change is simply in the build process, and an additional secondary distribution point.
P.S. I'd suggest to advertise widely this new feature of GNUstep Make
and recommend that all developers GPG-sign their releases.
My understanding is that was already the practice for GNUstep core project? :-)
What I mean is: we are already supposed to sign the tarballs.
The only new thing is signing tags, which I'm doing more for fun than anything else: we have not discussed moving to git repository as the primary source of releases (nor would I really see many advantages to moving away from GNU practices in such a way). :-)