Merge branch 'readme-release-signing' into 'main'

docs: Add a note about git-evtag to SECURITY.md See merge request GNOME/glib!2110
author: Philip Withnall <philip@tecnocode.co.uk> 2021-09-07 11:21:15 +0000
committer: Philip Withnall <philip@tecnocode.co.uk> 2021-09-07 11:21:15 +0000
commit: 573c629beca7e16d3acacffff8f1339c34a64cb6 (patch)
tree: 81f43f78d6389522bdfe7316cb930ee0b1aff314
parent: 21a27f4eb7bafe0709a5ccf757a01f298c8ba31f (diff)
parent: b8160ce18b60cd5dfe04ee369f3a8f80dceee0aa (diff)
download: glib-573c629beca7e16d3acacffff8f1339c34a64cb6.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md
index 3505b2abf..e49460a1f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -17,6 +17,17 @@ Under GLib’s versioning scheme, stable release series have an *even* minor
 component (for example, 2.66.0, 2.66.1, 2.68.3), and development release series
 have an *odd* minor component (2.67.1, 2.69.0).
 
+## Signed Releases
+
+The git tags for all releases ≥2.58.0 are signed by a maintainer using
+[git-evtag](https://github.com/cgwalters/git-evtag). The maintainer will use
+their personal GPG key; there is currently not necessarily a formal chain of
+trust for these keys. Please [create an issue](https://gitlab.gnome.org/GNOME/glib/-/issues/new)
+if you would like to work on improving this.
+
+Unsigned releases ≥2.58.0 should not be trusted. Releases prior to 2.58.0 were
+not signed.
+
 ## Reporting a Vulnerability
 
 If you think you've identified a security issue in GLib, GObject or GIO, please
author	Philip Withnall <philip@tecnocode.co.uk>	2021-09-07 11:21:15 +0000
committer	Philip Withnall <philip@tecnocode.co.uk>	2021-09-07 11:21:15 +0000
commit	573c629beca7e16d3acacffff8f1339c34a64cb6 (patch)
tree	81f43f78d6389522bdfe7316cb930ee0b1aff314
parent	21a27f4eb7bafe0709a5ccf757a01f298c8ba31f (diff)
parent	b8160ce18b60cd5dfe04ee369f3a8f80dceee0aa (diff)
download	glib-573c629beca7e16d3acacffff8f1339c34a64cb6.tar.gz