FLOP:Metarepo signing

From Funtoo
Jump to: navigation, search
Created on
2020/03/17
Original Author(s)
mrl5
Status

Funtoo Linux Optimization Proposal: Metarepo signing

Commits in metarepo could be GPG signed and then ego could verify those signatures

Overview

This feature creates an extra protection layer in case when funtoo github account would be compromised or for any other reason unauthorized commit is applied to the mainstream branch. There have been cases like this in the past 1 2

According to docs 3 4 and output from git remote -v updates are taken from github

root # cd /var/git/meta-repo/ && git remote -v
origin  https://github.com/funtoo/meta-repo (fetch)
origin  https://github.com/funtoo/meta-repo (push)

Related

https://www.funtoo.org/FLOP:Release_Signing

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work