Jonathan Riddell skrev den 2016-12-20 12:39:
On 20 December 2016 at 11:29, Dag <dand...@get2net.dk> wrote:
Any pgp key will do, the only requirement is a packager like myself
can verify it's the one the Calligra devs used which is usually done
by putting it on a pgp key server and putting the full fingerprint on
the release announcement web page and/or e-mails (not on a wiki as
Kirigami devs like to do).
Thought that was what the trust part should do, anybody could create a
key
and say they where a calligra dev.
OTOH probably some of us would protest if calligra was released and
none of
us knew about it ;)
Put it on a trusted place like calligra.org and voila, it's trusted.
It's important to include in any announcement to packagers though so
we know what key we should be looking for.
Yes, I see. So who can put up a page like that on calligra.org?
See for example my key on https://www.kde.org/info/plasma-5.8.0.php
I do share Boud's frustration with gpg-agent, it's a tricksy beastie
which sometimes works and sometimes doesn't. But it should be possible
to turn it off and just enter any password in directly.
7. Notify packagers and wait some time (a week?) for feedback
A week feels a bit much to me but as you wish
Less is more in this case. What would you suggest would be enough?
Both Plasma and Applications seem to use Thursday to Tuesday.
Frameworks leaves a week still. With automated testing there
shouldn't be a need for so long is the thinking these days.
Ok, so ~5 days, including a weekend...
Jonathan
