On Sun, Jul 5, 2015 at 3:33 AM, Alon Bar-Lev <alo...@gentoo.org> wrote: > On 4 July 2015 at 23:28, Alexandre Rostovtsev <tetrom...@gentoo.org> wrote: >> >> On Sun, 2015-07-05 at 02:16 +0700, C Bergström wrote: >> > 2) I don't understand your comment about signatures. >> >> Gpg commit signatures [1] which are a requirement for any gentoo git >> workflow. Rebasing breaks the author's signature afaict, so the user >> who is doing rebasing needs to re-sign the commit using his own key. >> >> [1] >> https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work#Signing-Commits >> > > Maybe this is the root cause of all issues, and simpler was to remain > with signed manifests. > Just a thought... Not every git feature out there should be actually > be leveraged. > Doing so would enable rebase without loosing data, more secure (than > SHA-1) signatures, using code review tools such as gerrit without an > issue, migration out of git in future and probably more. >
Gpg commit signatures - lol... really? (sorry I realize this is a serious comment) ---------- I'd agree that the point of security failure would probably be better at actually ensuring the content to the users is correct and valid. +1 for gerrit, but I realize that may be overkill
