> constantly adds any security to the tree. What might add security for > end-users is if git automatically checked the push signatures, which > are the signatures that ensure that branches aren't tampered with > (which is what rebasing you bring up actually does).
It is news to me that a signature from a push is also transported to a subsequent pull request for a client, do you have some external references for this procedure? Regardless of the technical implementation, the fact still remains that with the current git repositories (gentoo and the one populated with metadata from gentoo-mirror) we might have another way of providing a signed and tamper-proof [1] ebuild tree (apart from our daily, signed snapshots). Best, Matthias [1] At least as long our git infrastructure is not compromised...
signature.asc
Description: PGP signature
