Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Robin H. Johnson <robbat2-aBrp7R+bbdUdnm+yROfE0A <at> public.gmane.org>
Subject: meeting followup: commit signing
Newsgroups: gmane.linux.gentoo.scm-migration
Date: Wednesday 27th October 2010 00:10:23 UTC (over 6 years ago)
So beyond the meeting, I spoke to spearce again, and came up with a more
detailed plan.

1. We will implement our own reflog to track who pushes commits. It will
   be done by the server-side script making a commit into a submodule.

2. Careful selection of what to sign should work with the following:
   # git diff-tree --no-commit-id -r --raw $commitid ; 
   # git cat-file commit $commitid |egrep -v '^(tree|parent|commiter)'
   Need a slightly better parser to trim those 3 lines from the latter.
   Feed that data into gpg --detached-sign.
   But then after we have that, we can either append it onto a commit
   message (would have to trim during verification), or put it in as a
   git note (need to verify trampling).
   This SHOULD be safe across all actions, rewind, merge, cherry-pick.

Log of the discussion attached.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : [email protected]
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
 
CD: 3ms