[FFmpeg-devel] [RFC] git and signing commits and tags
James Almer
jamrial at gmail.com
Mon Aug 8 18:02:39 EEST 2022
On 8/8/2022 11:50 AM, Michael Niedermayer wrote:
> Given the recent server issues, i wonder if we should suggest/recommand
> and document signing commits and tags
fwiw, the git repo isn't hosted in the server that had issues.
>
> i tried to push such commit to github and it nicely says "verified"
> https://github.com/michaelni/FFmpeg/commit/75f196acd16fb0c0ca7a94f0c66072e7c6f736bf
>
> Ive generated a new gpg key for this experiment as i dont have my
> main key on the box used for git development and also using more
> modern eliptic curve stuff (smaller keys & sigs)
> i will upload this key to the keyservers in case it becomes the
> one i use for git.
I agree 100% we should sign release tags, and not only the tarballs.
Telling people to sign random commits isn't as useful, but if people
want to do it then that's fine too.
>
> -----BEGIN PGP PUBLIC KEY BLOCK-----
>
> mDMEYvA3sxYJKwYBBAHaRw8BAQdAhF26S5QlUZssryHGHLYw61FsF+0s54qWEDm1
> Rurfi5O0ME1pY2hhZWwgTmllZGVybWF5ZXIgPG1pY2hhZWwtZ2l0QG5pZWRlcm1h
> eWVyLmNjPoiWBBMWCAA+FiEE3R7J6N4IXGKbPhhGsY6JKLOUjWQFAmLwN7MCGwMF
> CQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQsY6JKLOUjWTKMwD8DW39
> MrtvYdjP/CvxWTma+MErgkFfrx67y+zO0r6vYmYA/063Y7s6+ef0Whydf5xlJLYF
> nX3ZwXnZubVsjJz0WV0EuDgEYvA3sxIKKwYBBAGXVQEFAQEHQD381bpdRfPa3DjW
> WFQx1IeRgeSavPep1v4C2noShjcTAwEIB4h4BBgWCAAgFiEE3R7J6N4IXGKbPhhG
> sY6JKLOUjWQFAmLwN7MCGwwACgkQsY6JKLOUjWRryQEA+nEGWw5ygbiYpSe34erz
> opoxh+iIUdzl+OnyU2fpNVsA/A91nhyyR8eMlAptr16FVoEnZBHtcK2cTcGxqkdL
> JMkG
> =D6v5
> -----END PGP PUBLIC KEY BLOCK-----
>
>
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
More information about the ffmpeg-devel
mailing list