[GitHub] [airflow] potiuk commented on issue #8005: Use annoteated tags for releases?

[GitBox <gi...@apache.org>]

potiuk commented on issue #8005: Use annoteated tags for releases?
URL: https://github.com/apache/airflow/issues/8005#issuecomment-608552727
 
 
   Agree with @ashb 
   
   I was in a project where all commits and all tags were signed and during release, the signatures were verified with public keys of all the developers. But this was a project that had requirements coming from payment certifications and it had really high security requirements (thus bureaucracy). I personally designed a procedure where the OS for the terminal was prepared in a secure room which was electromagnetically isolated and it was built on a laptop that had never been connected to internet. The public keys of all developers were stored on a USB kept in a safe.  True story! Not so long ago.
   
   But let's get back to the ground. This is an open-source project that has plenty of eyes looking at it every day. There is no reason to use annotated tags for it.
   
   If you want to introduce annotations and signing - you really have to go all the way and secure every single step of the process. As long as you have no way to verify whether the tag has been signed by the right people, it does not give you much.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services