Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

FLOP:Metarepo signing

From Funtoo
Revision as of 07:42, March 17, 2020 by Mrl5 (talk | contribs) (Created page with "{{FLOP |Created on=2020/03/17 |Summary=Commits in metarepo could be GPG signed and then ego could verify those signatures |Author=mrl5 }} == Overview == This feature create...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Created on
2020/03/17
Original Author(s)
mrl5
Status

Funtoo Linux Optimization Proposal: Metarepo signing

Commits in metarepo could be GPG signed and then ego could verify those signatures

Overview

This feature creates an extra protection layer in case when funtoo github account would be compromised or for any other reason unauthorized commit is applied to the mainstream branch. There have been cases like this in the past 1 2

According to docs 3 4 and output from git remote -v updates are taken from github

root # cd /var/git/meta-repo/ && git remote -v
origin  https://github.com/funtoo/meta-repo (fetch)
origin  https://github.com/funtoo/meta-repo (push)

Related

https://www.funtoo.org/FLOP:Release_Signing

https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work