On Wednesday 18 February 2009, Robin H. Johnson wrote:
> Using the converse, all files covered by AUX, DIST, MISC have GIT
> SHA1 commit ids. Explicitly performing a checksum on them is not
> needed, just extract it from Git.

These hashes would need to be regenerated for the rsync though, because 
otherwise it does not provide integrity and this would make tree 
signing impossible. Overlays would have to abandon the hashes though, 
otherwise you'll get the same merge trouble again.


> When it comes to generating the outgoing Manifests for users on the
> central server, it's pretty simple.
>
> The only downside I see is the potential for a degree of lesser
> security for anybody using the Git repo directly instead of rsync.

It'll also ease attacks on distfiles when first mirroring them. 
Currently, developers download the code (verify checksums, gpg, or 
review the code, ... at least sometimes) and then commit the hash of 
what they have seen. The distfiles master box then verifies that hash 
and users only ever can install it if it's the same the dev had seen.
If the distfiles master is the one generating that hash, there is (1) a 
time gap between the dev reviewing the file and the box getting the 
hash and (2) only one box would need to be attacked via 
man-in-the-middle, whereas it is currently two.


Robert