1 |
On Tue, Jul 3, 2018 at 12:41 PM Kristian Fiskerstrand <k_f@g.o> wrote: |
2 |
> |
3 |
> I would expect as much. But my primary argument would be key management related, it is simply impossible to present a raw copy of our repo to end-users and have them verify each commit |
4 |
> |
5 |
|
6 |
While related, I think that the question of distribution is still a |
7 |
fair one. We can still check an infra key on the head commit with git |
8 |
distribution. Granted, if we want to go further than that then the |
9 |
implementation will vary between git vs rsync distribution because the |
10 |
signed git metadata is only available easily in git. |
11 |
|
12 |
-- |
13 |
Rich |