On Mon, May 22, 2017 at 8:34 PM, Stefan Beller <sbeller@xxxxxxxxxx> wrote: > The Git community considers using submodules for some parts of the > code (a third party lib, SHA1DC, computing SHA1s that warn about > potential attachs, see shattered.io) [1]. > > We are also concerned about single point of failure there, so a repo > at kernel.org > mirroring the potential submodule[2] would be great. > > I cc'd the git mailing list as we may want to have further discussion who > shall have access to the new repo. > > [1] https://public-inbox.org/git/20170520115429.12289-1-avarab@xxxxxxxxx/ > [2] https://github.com/cr-marcstevens/sha1collisiondetection The access problem could be solved by none of us having access to the repo, if the git.kernel.org admins are willing to set up a mirror of the github repo, a cronjob running git-fetch with the appropriate parameters to just fetch the master (or everything, but only master is needed). Updating such a mirror with a daily cronjob would be more than enough. Less seriously but worth pointing out: It could also be solved by just setting the user:password to foo:bar and publishing that in the description & setting the repo to non-fast-forward only. This will only be used by the git.git repo, which'll point at a specific sha1 in its history, wouldn't that be a nice demo of the whole "give the repo to your worst enemy but as long as you have the sha ... " parable Linus posted on-list back in the day... :)