1 |
> constantly adds any security to the tree. What might add security for |
2 |
> end-users is if git automatically checked the push signatures, which |
3 |
> are the signatures that ensure that branches aren't tampered with |
4 |
> (which is what rebasing you bring up actually does). |
5 |
|
6 |
It is news to me that a signature from a push is also transported to a |
7 |
subsequent pull request for a client, do you have some external |
8 |
references for this procedure? |
9 |
|
10 |
Regardless of the technical implementation, the fact still remains that |
11 |
with the current git repositories (gentoo and the one populated with |
12 |
metadata from gentoo-mirror) we might have another way of providing |
13 |
a signed and tamper-proof [1] ebuild tree (apart from our daily, signed |
14 |
snapshots). |
15 |
|
16 |
Best, |
17 |
Matthias |
18 |
|
19 |
[1] At least as long our git infrastructure is not compromised... |