| 1 |
So beyond the meeting, I spoke to spearce again, and came up with a more |
| 2 |
detailed plan. |
| 3 |
|
| 4 |
1. We will implement our own reflog to track who pushes commits. It will |
| 5 |
be done by the server-side script making a commit into a submodule. |
| 6 |
|
| 7 |
2. Careful selection of what to sign should work with the following: |
| 8 |
# git diff-tree --no-commit-id -r --raw $commitid ; |
| 9 |
# git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)' |
| 10 |
Need a slightly better parser to trim those 3 lines from the latter. |
| 11 |
Feed that data into gpg --detached-sign. |
| 12 |
But then after we have that, we can either append it onto a commit |
| 13 |
message (would have to trim during verification), or put it in as a |
| 14 |
git note (need to verify trampling). |
| 15 |
This SHOULD be safe across all actions, rewind, merge, cherry-pick. |
| 16 |
|
| 17 |
Log of the discussion attached. |
| 18 |
|
| 19 |
-- |
| 20 |
Robin Hugh Johnson |
| 21 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
| 22 |
E-Mail : robbat2@g.o |
| 23 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |
Archives