On Wed, Jul 4, 2018 at 1:34 PM Rich Freeman <ri...@gentoo.org> wrote: > > I wonder if we can have portage instead do a fetch, then do the > verification of HEAD, and then if it passes do a checkout. That will > still leave you with invalid data in the git history, but it won't > actually be checked out, so at least emerge won't be seeing it. >
Kudos to zmedico on the quick patch: https://github.com/gentoo/portage/pull/332/commits/74c3b10dba60bcb096404c6aca148b9ae7a9a80b I'm sure it will be a bit before it is released, but this should make git syncs much more secure. -- Rich
