| 1 |
On Tue, Jul 3, 2018 at 12:41 PM Kristian Fiskerstrand <k_f@g.o> wrote: |
| 2 |
> |
| 3 |
> I would expect as much. But my primary argument would be key management related, it is simply impossible to present a raw copy of our repo to end-users and have them verify each commit |
| 4 |
> |
| 5 |
|
| 6 |
While related, I think that the question of distribution is still a |
| 7 |
fair one. We can still check an infra key on the head commit with git |
| 8 |
distribution. Granted, if we want to go further than that then the |
| 9 |
implementation will vary between git vs rsync distribution because the |
| 10 |
signed git metadata is only available easily in git. |
| 11 |
|
| 12 |
-- |
| 13 |
Rich |
Archives