On 07/08/2018 07:34 PM, Rich Freeman wrote: > The patch is to do the verification before > checking it out so that if it fails the tree is left in a > last-known-good state (at least as seen by tools at the filesystem > level - the fetched bad commits would still be visible to git).
there is still a very different key management issue discussed. If a developers credentials are removed from Gentoo LDAP for some reason it will be stopped from pushing new commits immediately, but the third party verification can be valid up until that point and after since the developer might not have published a revocation certificate. the git sync method will need a way to distinguish this for end-users, but the proper rsync synchronization will be able to trust the data at the point we say it is OK. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
