Gentoo Archives: gentoo-scm

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-scm@l.g.o
Subject: [gentoo-scm] meeting followup: commit signing
Date: Wed, 27 Oct 2010 00:10:26
In Reply to: Re: [gentoo-scm] Notes from a recent meeting; Updated conversion by "Robin H. Johnson"
So beyond the meeting, I spoke to spearce again, and came up with a more
detailed plan.

1. We will implement our own reflog to track who pushes commits. It will
   be done by the server-side script making a commit into a submodule.

2. Careful selection of what to sign should work with the following:
   # git diff-tree --no-commit-id -r --raw $commitid ; 
   # git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)'
   Need a slightly better parser to trim those 3 lines from the latter.
   Feed that data into gpg --detached-sign.
   But then after we have that, we can either append it onto a commit
   message (would have to trim during verification), or put it in as a
   git note (need to verify trampling).
   This SHOULD be safe across all actions, rewind, merge, cherry-pick.

Log of the discussion attached.

Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@g.o
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85


File name MIME type
20101026_spearce_git_commit_signing.txt text/plain