1 |
>>>>> On Sun, 21 Sep 2014, Michał Górny wrote: |
2 |
|
3 |
> Rich Freeman <rich0@g.o> napisał(a): |
4 |
>> Ulrich is well-aware of that. His argument is that with cvs there |
5 |
>> is no security whatsoever in the scm, and so there is more interest |
6 |
>> in layering security on-top. With git there is more of a tendency |
7 |
>> to rely on the less-than-robust commit signing system. |
8 |
>> |
9 |
>> We could always just keep full manifests in the tree and be no |
10 |
>> worse off than with cvs. |
11 |
|
12 |
> And we would be no better off than with CVS. We'd have huge |
13 |
> repository with a lot of redundant space-eating data and the |
14 |
> impossibility of sane merges or rebases. |
15 |
|
16 |
Not necessarily. As long as you keep write access to the repository |
17 |
secure, you don't need anything special there. However, it's a |
18 |
different story when the tree is distributed via a mirror system that |
19 |
is not entirely under our control. |
20 |
|
21 |
Full manifests could be generated automatically (and signed with an |
22 |
infra key) when copying the tree from the repository to the master |
23 |
mirror. |
24 |
|
25 |
Ulrich |