Open instilled opened 8 years ago
@instilled I think this is a great idea!
I have been thinking that the push
task does way too many things currently. What do you think about separating the jar signing into a separate task and deprecating the GPG stuff that's built into the existing push
task? @Deraen @alandipert thoughts?
Yes, separating gpg stuff makes sense.
@micha Awesome! Extracting jar-signing into a separate task does make a lot of sense to me. Would you then rather go for two distinct tasks, one for each signing backend (sign-gpg, sign-keybase) or having only one that is configurable? In my opinion one task should just do fine as the changes really are minimal.
I think one task makes sense. It is possible that a single project will be deployed by several users who have different preferences on how to sign packages.
Setting up the GPG toolchain is cumbersome (on OSx even more so). With keybase.io things got a lot easier recently. That's why I was wondering if there's an interest in bringing
keybase
intoboot
.Changes to the existing
boot.pod.gpg
namespace would be marginal. I've already hacked something together that hooks into the existingboot.core.built-in/push
task. Actually italter-var-root
sboot.pod.gpg/sign-jar
toinstilled.boot.keybase/sign-jar
in a task, see here.Instead of that hackery, if there's interest into bringing this into boot, we should find a better way to accomplish this. An env var à la
BOOT_SIGN_TOOL={gpg,keybase}
or an additional parameter toboot.core.built-int/push
and a minor rework ofboot.pod.gpg
would probably just do fine.Let me know what you think!
Cheers, Fabio