GitHub now supports locking a release, its tag, and all artefacts once a release is published (as well as publishing an attestation of the release). The main downside is that if we mess up the set of artefacts we can't change it afterwards, but that is kind of the point (it is meant to avoid supply-chain attacks).
Are there any objections to doing this? My only concern is that we have had to go back to old releases and fix them in the past, so this is not without precedent...
(FWIW, I also suspect that we are kind of violating the LGPL for glibc at the moment and probably should start releasing the Docker image we use for our build so that the user can fetch any relevant source packages from Debian.)
GitHub now supports locking a release, its tag, and all artefacts once a release is published (as well as publishing an attestation of the release). The main downside is that if we mess up the set of artefacts we can't change it afterwards, but that is kind of the point (it is meant to avoid supply-chain attacks).
Are there any objections to doing this? My only concern is that we have had to go back to old releases and fix them in the past, so this is not without precedent...
(FWIW, I also suspect that we are kind of violating the LGPL for glibc at the moment and probably should start releasing the Docker image we use for our build so that the user can fetch any relevant source packages from Debian.)