* Bruno Wolff, III: > On Fri, Jun 07, 2019 at 08:37:57 -0000, > Petr Pisar <ppisar@xxxxxxxxxx> wrote: >>On 2019-06-06, Stephen Gallagher <sgallagh@xxxxxxxxxx> wrote: >>> Might be worth asking if there's a reason to need this offline. If the >>> exact commit ID is stored in Koji and is authoritative, also tagging >>> it into git might be convenient for offline purposes. The fact that >>> it's not immutable is probably not an issue as long as the >>> authoritative site *is*. (e.g. The same script that gets the hash from >>> Koji could also detect if someone manually changed it in git, which >>> would probably qualify as suspicious behavior.) >> >>If tags in dist-git could disagree with Koji, people could not rely on >>them and would use Koji instead rendering tags in dist-tag useless. > > Would having signed tags help? No, the tags must recide in a namespace, and dist-git (i.e., src.fedoraproject.org) must restrict who can push into that namespace. Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
