* bug#24461: Signing Emacs git release tags @ 2016-09-18 18:12 Rob Browning 2016-09-18 19:49 ` John Wiegley ` (2 more replies) 0 siblings, 3 replies; 9+ messages in thread From: Rob Browning @ 2016-09-18 18:12 UTC (permalink / raw) To: 24461 Package: emacs Severity: wishlist Please consider creating signed git release tags, i.e. "git tag -s ... emacs-25.2". Thanks -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2016-09-18 18:12 bug#24461: Signing Emacs git release tags Rob Browning @ 2016-09-18 19:49 ` John Wiegley 2016-09-18 21:09 ` Nicolas Petton 2019-09-29 4:26 ` Stefan Kangas 2022-01-24 10:38 ` Lars Ingebrigtsen 2 siblings, 1 reply; 9+ messages in thread From: John Wiegley @ 2016-09-18 19:49 UTC (permalink / raw) To: Rob Browning; +Cc: Nicolas Petton, 24461 >>>>> "RB" == Rob Browning <rlb@defaultvalue.org> writes: RB> Please consider creating signed git release tags, i.e. "git tag -s ... RB> emacs-25.2". I would like to see that as well. I assume it's too late to sign the 25.1 tag. -- John Wiegley GPG fingerprint = 4710 CF98 AF9B 327B B80F http://newartisans.com 60E1 46C4 BD1A 7AC1 4BA2 ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2016-09-18 19:49 ` John Wiegley @ 2016-09-18 21:09 ` Nicolas Petton 0 siblings, 0 replies; 9+ messages in thread From: Nicolas Petton @ 2016-09-18 21:09 UTC (permalink / raw) To: John Wiegley, Rob Browning; +Cc: 24461 [-- Attachment #1: Type: text/plain, Size: 350 bytes --] John Wiegley <jwiegley@gmail.com> writes: > RB> Please consider creating signed git release tags, i.e. "git tag -s ... > RB> emacs-25.2". > > I would like to see that as well. I assume it's too late to sign the > 25.1 tag. True, I think it's too late. My commits (including the one used for the release) should all be signed though. Cheers, Nico [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 512 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2016-09-18 18:12 bug#24461: Signing Emacs git release tags Rob Browning 2016-09-18 19:49 ` John Wiegley @ 2019-09-29 4:26 ` Stefan Kangas 2019-09-29 16:05 ` Rob Browning 2022-01-24 10:38 ` Lars Ingebrigtsen 2 siblings, 1 reply; 9+ messages in thread From: Stefan Kangas @ 2019-09-29 4:26 UTC (permalink / raw) To: Nicolas Petton; +Cc: John Wiegley, Rob Browning, 24461 Nicolas Petton <nicolas@petton.fr> writes: > John Wiegley <jwiegley@gmail.com> writes: > >> RB> Please consider creating signed git release tags, i.e. "git tag -s ... >> RB> emacs-25.2". >> >> I would like to see that as well. I assume it's too late to sign the >> 25.1 tag. > > True, I think it's too late. My commits (including the one used for the > release) should all be signed though. How about signing the release tags from 27.1 and onwards? Best regards, Stefan Kangas ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2019-09-29 4:26 ` Stefan Kangas @ 2019-09-29 16:05 ` Rob Browning 2019-09-29 16:22 ` Stefan Kangas 0 siblings, 1 reply; 9+ messages in thread From: Rob Browning @ 2019-09-29 16:05 UTC (permalink / raw) To: Stefan Kangas, Nicolas Petton; +Cc: John Wiegley, 24461 Stefan Kangas <stefan@marxist.se> writes: > Nicolas Petton <nicolas@petton.fr> writes: >> True, I think it's too late. My commits (including the one used for the >> release) should all be signed though. > > How about signing the release tags from 27.1 and onwards? Hmm, hadn't thought about this -- I don't know what git would do if you changed an unsigned tag to a signed tag without changing the hash. At a minimum, I'd guess that people that already have the tag wouldn't fetch the new one, but I don't know what else, if anything, git might do about it (warn, fail, nothing, ...). And of course, you wouldn't want to rely on whatever current git does about it, unless that were upstream's intended/documented behavior. (I suppose if it were deemed important enough, emacs-X.Y-sig tags or something could be added for older releases, though the meaning of those tags might be somewhat different.) In any case, after originally filing this, I noticed that you had signed commits, and I just rely on those now. So while it might still be nice to have signed tags (too), it's not all that important to me anymore. Thanks -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2019-09-29 16:05 ` Rob Browning @ 2019-09-29 16:22 ` Stefan Kangas 2019-09-29 17:24 ` Rob Browning 0 siblings, 1 reply; 9+ messages in thread From: Stefan Kangas @ 2019-09-29 16:22 UTC (permalink / raw) To: Rob Browning; +Cc: John Wiegley, Nicolas Petton, 24461 Rob Browning <rlb@defaultvalue.org> writes: > In any case, after originally filing this, I noticed that you had signed > commits, and I just rely on those now. So while it might still be nice > to have signed tags (too), it's not all that important to me anymore. I think signing tags is different than signing commits. A signed tag means you can have more trust that you are using the code with the latest fix to security problem X, announced to have been released in tagged Emacs version Y, and not code missing that fix. Best regards, Stefan Kangas ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2019-09-29 16:22 ` Stefan Kangas @ 2019-09-29 17:24 ` Rob Browning 0 siblings, 0 replies; 9+ messages in thread From: Rob Browning @ 2019-09-29 17:24 UTC (permalink / raw) To: Stefan Kangas; +Cc: John Wiegley, Nicolas Petton, 24461 Stefan Kangas <stefan@marxist.se> writes: > I think signing tags is different than signing commits. A signed tag > means you can have more trust that you are using the code with the > latest fix to security problem X, announced to have been released in > tagged Emacs version Y, and not code missing that fix. Fair enough -- I suppose without the signed tag, there's no way to be completely sure that you have the right signed commit. -- Rob Browning rlb @defaultvalue.org and @debian.org GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4 ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2016-09-18 18:12 bug#24461: Signing Emacs git release tags Rob Browning 2016-09-18 19:49 ` John Wiegley 2019-09-29 4:26 ` Stefan Kangas @ 2022-01-24 10:38 ` Lars Ingebrigtsen 2022-02-21 14:26 ` Lars Ingebrigtsen 2 siblings, 1 reply; 9+ messages in thread From: Lars Ingebrigtsen @ 2022-01-24 10:38 UTC (permalink / raw) To: Rob Browning; +Cc: Stefan Kangas, 24461 Rob Browning <rlb@defaultvalue.org> writes: > Please consider creating signed git release tags, i.e. "git tag -s > ... emacs-25.2". It's my understanding that we're going to start doing this starting with emacs-28.1, but I may be misremembering. Stefan? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 9+ messages in thread
* bug#24461: Signing Emacs git release tags 2022-01-24 10:38 ` Lars Ingebrigtsen @ 2022-02-21 14:26 ` Lars Ingebrigtsen 0 siblings, 0 replies; 9+ messages in thread From: Lars Ingebrigtsen @ 2022-02-21 14:26 UTC (permalink / raw) To: Rob Browning; +Cc: Stefan Kangas, 24461 Lars Ingebrigtsen <larsi@gnus.org> writes: > Rob Browning <rlb@defaultvalue.org> writes: > >> Please consider creating signed git release tags, i.e. "git tag -s >> ... emacs-25.2". > > It's my understanding that we're going to start doing this starting with > emacs-28.1, but I may be misremembering. Stefan? Yes, this is planned, but hasn't been implemented yet, as far as I can tell from the make-tarball.txt file... -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-02-21 14:26 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-09-18 18:12 bug#24461: Signing Emacs git release tags Rob Browning 2016-09-18 19:49 ` John Wiegley 2016-09-18 21:09 ` Nicolas Petton 2019-09-29 4:26 ` Stefan Kangas 2019-09-29 16:05 ` Rob Browning 2019-09-29 16:22 ` Stefan Kangas 2019-09-29 17:24 ` Rob Browning 2022-01-24 10:38 ` Lars Ingebrigtsen 2022-02-21 14:26 ` Lars Ingebrigtsen
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/emacs.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).