Re: Signing git tags for releases

[Stefan Kangas]

Eli Zaretskii <eliz@gnu.org> writes:

>> From: Stefan Kangas <stefan@marxist.se>
>> Date: Wed, 8 Dec 2021 14:06:33 -0800
>> Cc: emacs-devel@gnu.org
>>
>> There have been no other comments within a week, besides the one from
>> Teemu Likonen who spotted a mistake in the patch I proposed.
>>
>> If anyone has anything more to add here, there is still some time to
>> speak up before it is time for the second pretest.  If I don't see any
>> further comments until then, I will go ahead with the proposed plan.
>
> At least one important aspect remains un-discussed: how do we make
> sure the keys of those who sign tags are made available for the
> others, who'd like to verify the signatures.  This will have to be
> described in CONTRIBUTE, with enough detail for people to follow even
> if they aren't experts in GnuPG use.
>
> More generally, what exactly is proposed?  I think it would be good to
> see some text for CONTRIBUTE and/or make-tarball.txt (or other docs)
> with what will be the procedures related to this.

I did include a patch in my first message; I have included it again
below with the fix from Teemu.

In this new patch, I also added instructions for how to verify a tag to
CONTRIBUTE.

> IOW, I don't think the discussion, such as it was, was detailed
> enough, and I won't be surprised if people didn't really understand
> what we are going to change and how.  This gap needs to be filled
> before we can conclude that "everyone is in favor".

I hope the attached patch will clear up any remaining doubts.  Thanks.

sign-2.diff
Description: Text Data