bug#24461: Signing Emacs git release tags

bug#24461: Signing Emacs git release tags

[Rob Browning]

Package: emacs
Severity: wishlist

Please consider creating signed git release tags, i.e. "git tag -s
... emacs-25.2".

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

bug#24461: Signing Emacs git release tags

[John Wiegley]

>>>>> "RB" == Rob Browning <rlb@defaultvalue.org> writes:

RB> Please consider creating signed git release tags, i.e. "git tag -s ...
RB> emacs-25.2".

I would like to see that as well. I assume it's too late to sign the 25.1 tag.

-- 
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

bug#24461: Signing Emacs git release tags

[Nicolas Petton]

[-- Attachment #1: Type: text/plain, Size: 350 bytes --]

John Wiegley <jwiegley@gmail.com> writes:

> RB> Please consider creating signed git release tags, i.e. "git tag -s ...
> RB> emacs-25.2".
>
> I would like to see that as well. I assume it's too late to sign the
> 25.1 tag.

True, I think it's too late.  My commits (including the one used for the
release) should all be signed though.

Cheers,
Nico

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 512 bytes --]

bug#24461: Signing Emacs git release tags

[Stefan Kangas]

Nicolas Petton <nicolas@petton.fr> writes:

> John Wiegley <jwiegley@gmail.com> writes:
>
>> RB> Please consider creating signed git release tags, i.e. "git tag -s ...
>> RB> emacs-25.2".
>>
>> I would like to see that as well. I assume it's too late to sign the
>> 25.1 tag.
>
> True, I think it's too late.  My commits (including the one used for the
> release) should all be signed though.

How about signing the release tags from 27.1 and onwards?

Best regards,
Stefan Kangas

bug#24461: Signing Emacs git release tags

[Rob Browning]

Stefan Kangas <stefan@marxist.se> writes:

> Nicolas Petton <nicolas@petton.fr> writes:

>> True, I think it's too late.  My commits (including the one used for the
>> release) should all be signed though.
>
> How about signing the release tags from 27.1 and onwards?

Hmm, hadn't thought about this -- I don't know what git would do if you
changed an unsigned tag to a signed tag without changing the hash.  At a
minimum, I'd guess that people that already have the tag wouldn't fetch
the new one, but I don't know what else, if anything, git might do about
it (warn, fail, nothing, ...).

And of course, you wouldn't want to rely on whatever current git does
about it, unless that were upstream's intended/documented behavior.

(I suppose if it were deemed important enough, emacs-X.Y-sig tags or
 something could be added for older releases, though the meaning of
 those tags might be somewhat different.)

In any case, after originally filing this, I noticed that you had signed
commits, and I just rely on those now.  So while it might still be nice
to have signed tags (too), it's not all that important to me anymore.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

bug#24461: Signing Emacs git release tags

[Stefan Kangas]

Rob Browning <rlb@defaultvalue.org> writes:

> In any case, after originally filing this, I noticed that you had signed
> commits, and I just rely on those now.  So while it might still be nice
> to have signed tags (too), it's not all that important to me anymore.

I think signing tags is different than signing commits.  A signed tag
means you can have more trust that you are using the code with the
latest fix to security problem X, announced to have been released in
tagged Emacs version Y, and not code missing that fix.

Best regards,
Stefan Kangas

bug#24461: Signing Emacs git release tags

[Rob Browning]

Stefan Kangas <stefan@marxist.se> writes:

> I think signing tags is different than signing commits.  A signed tag
> means you can have more trust that you are using the code with the
> latest fix to security problem X, announced to have been released in
> tagged Emacs version Y, and not code missing that fix.

Fair enough -- I suppose without the signed tag, there's no way to be
completely sure that you have the right signed commit.

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

bug#24461: Signing Emacs git release tags

[Lars Ingebrigtsen]

Rob Browning <rlb@defaultvalue.org> writes:

> Please consider creating signed git release tags, i.e. "git tag -s
> ... emacs-25.2".

It's my understanding that we're going to start doing this starting with
emacs-28.1, but I may be misremembering.  Stefan?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

bug#24461: Signing Emacs git release tags

[Lars Ingebrigtsen]

Lars Ingebrigtsen <larsi@gnus.org> writes:

> Rob Browning <rlb@defaultvalue.org> writes:
>
>> Please consider creating signed git release tags, i.e. "git tag -s
>> ... emacs-25.2".
>
> It's my understanding that we're going to start doing this starting with
> emacs-28.1, but I may be misremembering.  Stefan?

Yes, this is planned, but hasn't been implemented yet, as far as I can
tell from the make-tarball.txt file...

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no