signed releases

[AiyionPrime]

Hey there. I've just updated the AUR package to your latest version.

While doing so, I saw releases are not signed yet.
I'd really appreciate if you considered changing this for upcoming releases.

The Debian maintainers put up a handy guide on how this might become an easy but worthwhile addition to your release process.
https://wiki.debian.org/Creating signed GitHub releases

That way GitHub is not able to change your released package contents without everybody noticing.
A trait that would be appreciated in distribution.

Other than that I really liked the project before and even more now that you cleaned and refactored the codebase so much to suit modern standards. Thanks for your work!

[rytilahti]

Hey @AiyionPrime, it's always nice to hear about someone finding this software useful! Thanks for your packaging efforts, too! :-)

Alas, I'm not actively maintaining this project as I don't have these devices anymore, and I would guess that most of the users probably were using this library with homeassistant (who are now better served by https://github.com/dbuezas/eq3btsmart). The few changes I made last year were related to a quick effort to make the library work with the more recent homeassistant releases which did not pan out in the end, but if that prolongs the usefulness of the tool that's great!

Now, quickly about signing the releases. The releases so far are published on pypi--probably the most popular way to obtain the code--which is immutable as long as you trust them. I understand that having the source tarballs signed by myself could be useful, but it's a yet another hurdle for a package I'm not particularly interested in to maintain, so I'm afraid I must personally say 'no' here.

Nevertheless, I will leave this issue open. Maybe someone wants to take over the maintainership and is interested in pursuing this. Thanks for the report and linking to the Debian guide, it's informative to have this information available for any future readers. :-)