W dniu nie, 08.07.2018 o godzinie 11∶04 -0700, użytkownik Zac Medico napisał: > On 07/08/2018 06:56 AM, Michał Górny wrote: > > W dniu nie, 08.07.2018 o godzinie 15∶02 +0200, użytkownik Kristian > > Fiskerstrand napisał: > > > On 07/08/2018 08:53 AM, Michał Górny wrote: > > > > Is safe git syncing implemented already? If not, maybe finish it first > > > > and cover both with a single news item. Git is going to be more > > > > efficient here, so people may want to learn they have an alternative. > > > > > > Why complicate things, and increase wait for something that benefits > > > most users, just to give alternatives to a few using non-default sync > > > mechanism. Securing git distribution is a whole different ballpark. > > > > > > > Let me rephrase. Let's say I'm using rsync. This new feature is > > something positive but it breaks my use case (for one of the listed > > reasons -- overlayfs, inode use, small fs cache). After reading this > > news item, I learn that my only option is to disable the new feature. > > > > Now, I would appreciate being told that there's an alternate sync method > > that handles secure updates without having all those drawbacks. > > The thing is, the normal git tree doesn't even provide pre-generated > metadata, and I see then gentoo-mirror repo that provides metadata does > not have commits signed with an release key: > > https://github.com/gentoo-mirror/gentoo/commits/stable > > So I'm really not comfortable recommending git to anyone at this point.
Wrong twice. Firstly, the canonical URL is: https://anongit.gentoo.org/git/repo/sync/gentoo.git (https://gitweb.gentoo.org/repo/sync/gentoo.git) Secondly, the merge commits (i.e. top commits that are verified by Portage) are signed by dedicated key that is part of the infra key set. In other words, it works out of the box. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
