1 |
So beyond the meeting, I spoke to spearce again, and came up with a more |
2 |
detailed plan. |
3 |
|
4 |
1. We will implement our own reflog to track who pushes commits. It will |
5 |
be done by the server-side script making a commit into a submodule. |
6 |
|
7 |
2. Careful selection of what to sign should work with the following: |
8 |
# git diff-tree --no-commit-id -r --raw $commitid ; |
9 |
# git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)' |
10 |
Need a slightly better parser to trim those 3 lines from the latter. |
11 |
Feed that data into gpg --detached-sign. |
12 |
But then after we have that, we can either append it onto a commit |
13 |
message (would have to trim during verification), or put it in as a |
14 |
git note (need to verify trampling). |
15 |
This SHOULD be safe across all actions, rewind, merge, cherry-pick. |
16 |
|
17 |
Log of the discussion attached. |
18 |
|
19 |
-- |
20 |
Robin Hugh Johnson |
21 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
22 |
E-Mail : robbat2@g.o |
23 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |