On 23 August 2011 17:22, Alexey Shvetsov <alexxy@g.o> wrote:
> On Tue, 23 Aug 2011 07:57:24 -0700, Zac Medico wrote:
>>
>> On 08/23/2011 07:02 AM, Alexey Shvetsov wrote:
>>>
>>> Ok. What is problems with thin Manifests (some kind of this already
>>> implented in funtoo)
>>
>> This is really easy to do. Like the manifest1 -> manifest2 migration,
>> we'll need some kind of repository marker which indicates the manifest
>> format. For example, we could use an entry in metadata/layout.conf for
>> this purpose (as I've already suggested in bug #333691).
>>
>>> and commit signing (this means gpg signing or something else?).
>>
>> I guess the existing manifest signing technique is likely to trigger
>> merge conflicts in the manifests. I suppose we could use another marker,
>> similar to the thin manifest marker, to indicate that the existing
>> manifest signing technique should not be used in the git tree.
>
> Yep signing git commits with gpg should avoid conflicts. May we can use
> something like this [1]
> [1]
> http://weierophinney.net/matthew/archives/236-GPG-signing-Git-Commits.html

After a quick look, it doesn't seem to add any security whatsoever -
it signs only the commit message.

-- 
Pozdrowienia
Piotr Jaroszyński