On Mon, Jul 2, 2018 at 7:23 PM Matthias Maier <tam...@gentoo.org> wrote: > stores tree snapshots (and not differences). So all you need is exactly > one signed commit to verify that > > - this is the full repository tree the developer saw at the time of the > commit > - this is the full history the developer saw at the time of the commit
I'm not sure this is as good, though. I don't think all developers verify the whole tree before adding a signature on top. And this leaves out file-level granularity, so I can't choose to distrust a certain set of developers I know to have poor security practices and have .asc files from those developers simply not verify. With the extracted-git model, it winds up being "the most recent developer signs everything for everybody". This is a bit weaker than what I've proposed.
