[Development] New git mirror - http://code.qt.io
Adam Majer
adamm at zombino.com
Tue Feb 24 21:01:39 CET 2015
On Tue, Feb 24, 2015 at 12:54:48PM +0000, Hirvonen Olli wrote:
> Hi,
>
> We have installed a new read-only git mirror under qt.io domain
> (http://code.qt.io). The purpose of this git mirror is to act as a
> "authoritative" git mirror for Qt sources, and we plan to change links on
> our own web pages to it where applicable. The new service does not have
> impact to existing mirrors such as GitHub (https://github.com/qtproject)
> and Gitorious (http://qt.gitorious.org/), but we want to have our own
> mirror under qt.io domain as well.
This is nice, but there is something else that could be even more
beneficial. If you guys could sign tags that would be even more
authoritative than a dedicated git. For example, in QtCreator's
repository,
$ git tag -v v3.3.1
object 567c6eb8759436a94835d06cf209956229265220
type commit
tag v3.3.1
tagger Eike Ziller <eike.ziller at theqtcompany.com> 1424783381 +0100
Qt Creator v3.3.1
error: no signature found
error: could not verify the tag 'v3.3.1'
A signed tag automatically verifies the entire history as being
authentic (up to the tag).
- Adam
PS. GPG signed releases would also be nice in addition to simple hash
checksums. For example, one file with ALL hashes that is then signed
would verify these hashes (and all releases) as authentic.
--
Adam Majer
adamm at zombino.com
More information about the Development
mailing list