Hi Thomas, On 21 August 2015 at 04:51, Thomas Koch <tho...@koch.ro> wrote: > Hi, > > we want upstream to sign releases. Nowadays a lot of software is on github and > a release is just a git tag. - An unsigned git tag ... :-( > > Github has a site that shows tags[1] but it does not give any indication > whether the tag is signed or not. > [1] e.g. https://github.com/Flameeyes/unpaper/tags > > Github should add visual feedback on this tags page: grey for unsigned, yellow > for signed and green for signed and connected to the web-of-trust. Next to a > grey or yellow tag there should be links to help texts.
Looks like they answered your request. Since last week GitHub now shows[1] whether commits or tags are signed. They didn't followed your color scheme, as the signatures are verified against the public key configured in your profile (and then marked as green) and not a web-of-trust. On 21 August 2015 at 05:10, Timo Weingärtner <t...@tiwe.de> wrote: > While I think signed tags are enough, many things rely on signed tarballs. > github should thus also allow uploading signatures for the tarball generated > from the (signed) tags and provide instructions for how to generate the > tarballs yourself. This feature went missing. The help section regarding GPG[2] doesn't say anything about uploading tarball signatures. Unfortunately, this is the part that would interest Debian most. Regards, Tiago. [1]: https://github.com/blog/2144-gpg-signature-verification [2]: https://help.github.com/categories/gpg/ -- Tiago "Myhro" Ilieve Blog: https://blog.myhro.info/ GitHub: https://github.com/myhro LinkedIn: https://br.linkedin.com/in/myhro Montes Claros - MG, Brasil
