>>>>> On Sun, 21 Sep 2014, Michał Górny wrote: > Rich Freeman <ri...@gentoo.org> napisał(a): >> Ulrich is well-aware of that. His argument is that with cvs there >> is no security whatsoever in the scm, and so there is more interest >> in layering security on-top. With git there is more of a tendency >> to rely on the less-than-robust commit signing system. >> >> We could always just keep full manifests in the tree and be no >> worse off than with cvs.
> And we would be no better off than with CVS. We'd have huge > repository with a lot of redundant space-eating data and the > impossibility of sane merges or rebases. Not necessarily. As long as you keep write access to the repository secure, you don't need anything special there. However, it's a different story when the tree is distributed via a mirror system that is not entirely under our control. Full manifests could be generated automatically (and signed with an infra key) when copying the tree from the repository to the master mirror. Ulrich
pgpBYUzWxkf9x.pgp
Description: PGP signature
