On Thu, May 1, 2008 at 1:26 PM, Martin Langhoff <martin.langhoff@xxxxxxxxx> wrote: > 4 - A script "pushes" commits from the "incoming" repo to a > "verified" repo after checking that they are backed by a GPG-signed > list. For ease of use, this can happen on the server ASAP, and it can > be validated independently by any party. Notably, it is probably a > good idea that it is validated shortly before a release is tagged. > > This way, you keep the flexible/fast properties of git Note that with this, you *can* also keep the ability for someone to push commits that they are not the author or committer for. This is actually added flexibility - you can merge from a 3rd party tree, and push it to the central repo, as long as you GPG-sign the list including those commits. I highlight "can" because the wrapper on the developer side and the script on the server side can prevent this, or force extra steps in such case. cheers, m -- martin.langhoff@xxxxxxxxx martin@xxxxxxxxxx -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
