immutable releases

[staabm]

I think we should make sure to enable immutable-releases on all sabre-io repos, to make sure a possible attacker cannot override git tags of already published releases.

is there anything which comes to mind we need to take care of before enable this option anywhere?

[phil-davis]

is there anything which comes to mind we need to take care of before enable this option anywhere?

I think “just do it”. It requires being careful when making releases, specially when releasing a new major version.

For patch and minor releases, if a mistake is made, then it is easy (and best anyway), to quickly make a new release with the next patch or minor release number.

For major releases, it is mostly a bit embarrassing if the major release is so crap that we can't fix it with a quick x.0.1 or x.1.0 release, and have to “waste” the major version number, and quickly make another major version release.

[staabm]

I will wait a few days for other peoples opinions.

if nothing comes up, I will enable the flag on friday (we can always disable, in case a blocker comes up).

thank you