On Thu, May 07, 2009 at 03:30:51PM +1000, Nguyen Thai Ngoc Duy wrote: > On Thu, Apr 16, 2009 at 4:55 AM, Robin H. Johnson <robbat2@xxxxxxxxxx> wrote: > > One of the spots that we're looking for in this, is a model something > > like what follows. Firstly, a "proxy maintainer" (PM) is a developer > > with commit rights to the central repo, that's willing to proxy commits > > by an outside source for some specific package. Think of them as the > > kernel subsystem maintainer, but many more of them. The PM is still > > expected to verify the work before passing it on the central repo. > > > > So we have a commit with author+committer being the outside source, and > > now we want to record (in an easily reviewable fashion) that a specific > > changeset was introduced to the central tree by the PM. > > > > Not sure of the best route to trace this data. Signing the SHA1 makes > > the most sense, but need to be able to do that without polluting the tag > > namespace. > > > > If the changeset does not have an associated signature, we'd like to > > reject it at the central repo. > How about signing the tree SHA-1 and putting the signature in commit > message? It's like gpg way of saying Signed-off-by. If the committer > wants to sign again before pushing out, he could amend the commit, > append his signature there; or make a no-change commit to contain his > signature (probably from git-commit-tree because iirc git-commit won't > let you make no-change commit) Hmm, I like the sound of that, but I'm concerned it might be difficult to enforce. If rewrite-history ever happens, it's also invalidated. -- Robin Hugh Johnson Gentoo Linux Developer & Infra Guy E-Mail : robbat2@xxxxxxxxxx GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
Attachment:
pgplRbOfUChiB.pgp
Description: PGP signature