On Tue, Aug 20, 2013 at 8:39 PM, John Long <[email protected]> wrote:
> If you're working on flagging PGP commits then it would be really nice to > say PGP in red if the signature doesn't verify or green if it does or > something like that. Otherwise saying "PGP" on a commit does more harm than > good imho. Personally for hosted projects I'd like to see a feature that > has an option to verify the signature on commits before committing them as > a > protection against unauthorized access to the repo (weak passwords, http > instead of https etc.) > Yeah, i left the word "signed" in the hopes that it didn't apply "approved". Patches are of course welcomed for validation, provided they don't require 3rd-party deps (extern deps mean the feature must be optional, e.g. SSL). What should happen if a sign check fails? e.g. on a rebuild of a db (PGP is seen at checkin or on rebuild)? Should it then reject the whole db? i don't think we have a recovery strategy if they fail. The best we could do is flag them in the timeline as passed/failed/unchecked, i think. -- ----- stephan beal http://wanderinghorse.net/home/stephan/ http://gplus.to/sgbeal
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
