PGP signatures for source releases?

[hlein]

Is your feature request related to a problem? Please describe.

It does not seem to be possible to verify release source tarballs.

Are there PGP signatures for source release tarballs? Various documentation points at the signing key which is used for binary packages, but https://github.com/fluent/fluent-bit/tags release downloads don't include .sig files, I don't see any discussion in existing Issues or Discussions, on https://fluentbit.io, etc. Most individual Git commits are not PGP-signed, either.

Describe the solution you'd like

PGP .sig files alongside downloadable tarballs.

Describe alternatives you've considered

It's conceivable that distro-specific SRPMs or similar are published that are signed, I haven't dug in deeply enough (that'd be kind of wildly convoluted).

Additional context

Signatures for tarballs are helpful for anyone building from source, including other downstream packagers / distributions.

[patrick-stephens]

We do not currently sign the source packages or require it for commits - I think the concern for that was putting off contribution (any extra steps or added friction puts people off) but I agree it would be nice to have.

It is likely one for @edsiper to consider but I would also suggest raising it via the community meeting and/or with @eschabell to being up with the community team.