On Mon, Jul 2, 2018 at 6:55 PM Rich Freeman <[email protected]> wrote: > You might want to read what I wrote then, because I proposed options > for using the git signatures over rsync, as well as for with git > syncing
> having a tool that extracts the git > signatures and stores the metadata in the repo (ideally done by infra > before mirroring, but it could be done after the fact as well) Aren't git signatures done over the full commit objects? Meaning you'd need the entire tree of metadata and thus all commits in order to verify? Or do you see some clever opportunity for extracting just enough metadata that you could actually have a file-based, rather than commit-based, verification?
