1 |
On 23 August 2011 17:22, Alexey Shvetsov <alexxy@g.o> wrote: |
2 |
> On Tue, 23 Aug 2011 07:57:24 -0700, Zac Medico wrote: |
3 |
>> |
4 |
>> On 08/23/2011 07:02 AM, Alexey Shvetsov wrote: |
5 |
>>> |
6 |
>>> Ok. What is problems with thin Manifests (some kind of this already |
7 |
>>> implented in funtoo) |
8 |
>> |
9 |
>> This is really easy to do. Like the manifest1 -> manifest2 migration, |
10 |
>> we'll need some kind of repository marker which indicates the manifest |
11 |
>> format. For example, we could use an entry in metadata/layout.conf for |
12 |
>> this purpose (as I've already suggested in bug #333691). |
13 |
>> |
14 |
>>> and commit signing (this means gpg signing or something else?). |
15 |
>> |
16 |
>> I guess the existing manifest signing technique is likely to trigger |
17 |
>> merge conflicts in the manifests. I suppose we could use another marker, |
18 |
>> similar to the thin manifest marker, to indicate that the existing |
19 |
>> manifest signing technique should not be used in the git tree. |
20 |
> |
21 |
> Yep signing git commits with gpg should avoid conflicts. May we can use |
22 |
> something like this [1] |
23 |
> [1] |
24 |
> http://weierophinney.net/matthew/archives/236-GPG-signing-Git-Commits.html |
25 |
|
26 |
After a quick look, it doesn't seem to add any security whatsoever - |
27 |
it signs only the commit message. |
28 |
|
29 |
-- |
30 |
Pozdrowienia |
31 |
Piotr Jaroszyński |