[merge] bzr re-sign update
John A Meinel
john at arbash-meinel.com
Wed Feb 15 15:50:25 GMT 2006
Robert Collins wrote:
...
>
> Cool. I'd love for sign-my-commits to be builtin. +1 for you doing that
> if you add some smoke tests. :)
>
Well, in jam-pending I reverted my other gpg changes, and then added
sign-my-commits. Attached is the patch.
> For validation, plain old gpg is fine for non-policy validation, and its
> a good start, but I suspect we'll need gpgme in one form or another for
> things like 'permit anyone with a uid matching the committer id and
> level 2 confidence in that uid'. (there is a new wrapper that is much
> nicer than pyme that I'm tracking down at the moment).
>
> But it would rock to start fleshing out the validation side of the gpg
> stuff in bzr core.
>
> Rob
>
Building in validation would definitely be nice. Doing it right would
need to be pretty invasive. For example, we should check the signature
is correct before we merge in new texts. Unfortunately, neither weaves
nor knits will make that easy. I suppose we could assume the text sha1s
are correct (since weave will complain on extraction if it isn't), and
then we can just check the signature by checking the inventory and
revision information.
John
=:->
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sign-my-commits.diff
Url: https://lists.ubuntu.com/archives/bazaar/attachments/20060215/e4d0bba5/attachment.diff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060215/e4d0bba5/attachment.pgp
More information about the bazaar
mailing list