On Tue, Jul 3, 2018 at 12:41 PM Kristian Fiskerstrand <k...@gentoo.org> wrote: > > I would expect as much. But my primary argument would be key management > related, it is simply impossible to present a raw copy of our repo to > end-users and have them verify each commit >
While related, I think that the question of distribution is still a fair one. We can still check an infra key on the head commit with git distribution. Granted, if we want to go further than that then the implementation will vary between git vs rsync distribution because the signed git metadata is only available easily in git. -- Rich
