FLOP:Metarepo signing
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
- Created on
- 2020/03/17
- Original Author(s)
- mrl5
- Status
Funtoo Linux Optimization Proposal: Metarepo signing
Commits in metarepo could be GPG signed and then ego could verify those signatures
Overview
This feature creates an extra protection layer in case when funtoo github account would be compromised or for any other reason unauthorized commit is applied to the mainstream branch. There have been cases like this in the past 1 2
According to docs 3 4 and output from git remote -v updates are taken from github
root # cd /var/git/meta-repo/ && git remote -v origin https://github.com/funtoo/meta-repo (fetch) origin https://github.com/funtoo/meta-repo (push)
Related
https://www.funtoo.org/FLOP:Release_Signing
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work