[PD-dev] moving to git
IOhannes m zmölnig
zmoelnig at iem.at
Fri Oct 16 20:45:49 CEST 2015
On 10/16/2015 07:32 PM, IOhannes m zmölnig wrote:
> On 10/16/2015 02:41 PM, Roman Haefeli wrote:
>> Ok, so what's the fuzz about non-secure connections when the repo's
>> purpose is to _clone_ from it?
>>
>
> because the repository could have been tempered with.
>
> i *think* I have a proper solution to the problem, that is unrelated to
> https: if I gpg-sign the root commit of of each repository, then we
> would have a guarantee that the repository is the one that I uploaded.
done.
all repos now have their root and head commits tagged as "svn2git-root"
(resp. "svn2git-head").
if there are multiple roots resp. heads, they have an index attached
(e.g. "svn2git-root.0")
these tags are signed by me (with the key that is attached to virtually
all of my emails), and has a tag message that reads like:
"signed-tag: svn2git root of ${repo}"
with "${repo}" being replaced by the name of the actual repository.
(in the case of multiple roots/headers, it will say something like
"signed-tag: svn2git head.1 of ${repo}"
i consider this to be more safe than a mere transport encryption (as
suggested by jonathan), as it guarantees the integrity of the repository
itself (even if you get it by floppy disk).
mfsdr
IOhannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20151016/03d1d1c0/attachment.sig>
More information about the Pd-dev
mailing list