| 1 |
> constantly adds any security to the tree. What might add security for |
| 2 |
> end-users is if git automatically checked the push signatures, which |
| 3 |
> are the signatures that ensure that branches aren't tampered with |
| 4 |
> (which is what rebasing you bring up actually does). |
| 5 |
|
| 6 |
It is news to me that a signature from a push is also transported to a |
| 7 |
subsequent pull request for a client, do you have some external |
| 8 |
references for this procedure? |
| 9 |
|
| 10 |
Regardless of the technical implementation, the fact still remains that |
| 11 |
with the current git repositories (gentoo and the one populated with |
| 12 |
metadata from gentoo-mirror) we might have another way of providing |
| 13 |
a signed and tamper-proof [1] ebuild tree (apart from our daily, signed |
| 14 |
snapshots). |
| 15 |
|
| 16 |
Best, |
| 17 |
Matthias |
| 18 |
|
| 19 |
[1] At least as long our git infrastructure is not compromised... |
Archives