From 5eef4b1ba1ea6cecf7fd546ad46aff809f50c09c Mon Sep 17 00:00:00 2001
From: Hugo Osvaldo Barrera <hugo@barrera.io>
Date: Wed, 10 Jun 2020 16:42:35 +0200
Subject: [PATCH] Document GH Releases and signing

---
 docs/packaging.rst | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/docs/packaging.rst b/docs/packaging.rst
index 67a29e3..4089f82 100644
--- a/docs/packaging.rst
+++ b/docs/packaging.rst
@@ -15,13 +15,19 @@ Obtaining the source code
 
 The main distribution channel is `PyPI
 <https://pypi.python.org/pypi/vdirsyncer>`_, and source tarballs can be
-obtained there. Do not use the ones from GitHub: Their tarballs contain useless
-junk and are more of a distraction than anything else.
+obtained there. We mirror the same package tarball and wheel as GitHub
+releases. Please do not confuse these with the auto-generated GitHub "Source
+Code" tarball; that one contains useless junk and are more of a distraction
+than anything else.
 
-I give each release a tag in the git repo. If you want to get notified of new
+We give each release a tag in the git repo. If you want to get notified of new
 releases, `GitHub's feed
 <https://github.com/pimutils/vdirsyncer/releases.atom>`_ is a good way.
 
+Tags will be signed by the maintainer who is doing the release (starting with
+0.16.8), and generation of the tarball and wheel is done by CI. Hence, only the
+tag itself is signed.
+
 Dependency versions
 ===================