Open instilled opened 8 years ago
micha
commented
8 years ago @instilled I think this is a great idea!
I have been thinking that the push task does way too many things currently. What do you think about separating the jar signing into a separate task and deprecating the GPG stuff that's built into the existing push task? @Deraen @alandipert thoughts?
Deraen
commented
8 years ago Yes, separating gpg stuff makes sense.
instilled
commented
8 years ago @micha Awesome! Extracting jar-signing into a separate task does make a lot of sense to me. Would you then rather go for two distinct tasks, one for each signing backend (sign-gpg, sign-keybase) or having only one that is configurable? In my opinion one task should just do fine as the changes really are minimal.
Deraen
commented
8 years ago I think one task makes sense. It is possible that a single project will be deployed by several users who have different preferences on how to sign packages.
Setting up the GPG toolchain is cumbersome (on OSx even more so). With keybase.io things got a lot easier recently. That's why I was wondering if there's an interest in bringing
keybaseintoboot.Changes to the existing
boot.pod.gpgnamespace would be marginal. I've already hacked something together that hooks into the existingboot.core.built-in/pushtask. Actually italter-var-rootsboot.pod.gpg/sign-jartoinstilled.boot.keybase/sign-jarin a task, see here.Instead of that hackery, if there's interest into bringing this into boot, we should find a better way to accomplish this. An env var à la
BOOT_SIGN_TOOL={gpg,keybase}or an additional parameter toboot.core.built-int/pushand a minor rework ofboot.pod.gpgwould probably just do fine.Let me know what you think!
Cheers, Fabio