1 |
On Sun, 30 Oct 2016 14:44:26 -0700 |
2 |
Zac Medico <zmedico@g.o> wrote: |
3 |
|
4 |
> On 10/30/2016 02:34 PM, Michał Górny wrote: |
5 |
> > Increate the default git sync-depth from 1 to 10, to ensure that |
6 |
> |
7 |
> s/Increate/Increase/ |
8 |
|
9 |
Fixed. |
10 |
|
11 |
> > gentoo-mirror git clones retain at least a single original signed |
12 |
> > commit. |
13 |
> > --- |
14 |
> > man/portage.5 | 10 ++++++++-- |
15 |
> > pym/portage/sync/modules/git/__init__.py | 2 +- |
16 |
> > 2 files changed, 9 insertions(+), 3 deletions(-) |
17 |
> > |
18 |
> > diff --git a/man/portage.5 b/man/portage.5 |
19 |
> > index 963f49d..c1e4d97 100644 |
20 |
> > --- a/man/portage.5 |
21 |
> > +++ b/man/portage.5 |
22 |
> > @@ -965,8 +965,14 @@ Specifies priority of given repository. |
23 |
> > Specifies CVS repository. |
24 |
> > .TP |
25 |
> > .B sync\-depth |
26 |
> > -Specifies clone depth to use for DVCS repositories. Defaults to 1 (only |
27 |
> > -the newest commit). If set to 0, the depth is unlimited. |
28 |
> > +Specifies clone depth to use for DVCS repositories. Defaults to 10 |
29 |
> > +(commits deep). If set to 0, the depth is unlimited. |
30 |
> > +.br |
31 |
> > +The default depth of 10 was chosen as a compromise between space |
32 |
> > +and bandwidth savings, and maintaining a history of recent commits. |
33 |
> > +It is especially important for gentoo-mirror repositories where the most |
34 |
> > +recent commits are automated and unsigned, and it is necessary to |
35 |
> > +rewind the history to the newest signed commit for OpenPGP verification. |
36 |
> |
37 |
> Shouldn't people feel uneasy about the last commit being unverifiable? I |
38 |
> would think that that last commit should be signed with an |
39 |
> infrastructure key. |
40 |
|
41 |
I've even written a blog post [1] about that. Long story short, |
42 |
trusting some random key used by automated process running on remote |
43 |
server with no real security is insane. I've made a script that |
44 |
verifies underlying repo commit instead, and diffs for metadata |
45 |
changes. |
46 |
|
47 |
[1]:https://blogs.gentoo.org/mgorny/2016/04/15/why-automated-gentoo-mirror-commits-are-not-signed-and-how-to-verify-them-2/ |
48 |
|
49 |
-- |
50 |
Best regards, |
51 |
Michał Górny |
52 |
<http://dev.gentoo.org/~mgorny/> |