On Thu, Apr 16, 2009 at 4:55 AM, Robin H. Johnson <robbat2@xxxxxxxxxx> wrote: > One of the spots that we're looking for in this, is a model something > like what follows. Firstly, a "proxy maintainer" (PM) is a developer > with commit rights to the central repo, that's willing to proxy commits > by an outside source for some specific package. Think of them as the > kernel subsystem maintainer, but many more of them. The PM is still > expected to verify the work before passing it on the central repo. > > So we have a commit with author+committer being the outside source, and > now we want to record (in an easily reviewable fashion) that a specific > changeset was introduced to the central tree by the PM. > > Not sure of the best route to trace this data. Signing the SHA1 makes > the most sense, but need to be able to do that without polluting the tag > namespace. > > If the changeset does not have an associated signature, we'd like to > reject it at the central repo. How about signing the tree SHA-1 and putting the signature in commit message? It's like gpg way of saying Signed-off-by. If the committer wants to sign again before pushing out, he could amend the commit, append his signature there; or make a no-change commit to contain his signature (probably from git-commit-tree because iirc git-commit won't let you make no-change commit) -- Duy -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html