Re: [task #4633] GPG-Signed Commits

[Mark D. Baushke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derek Price <derek@ximbiot.com> writes:

> Just a quick RFC on how this will integrate into the CVS command line &
> config.  I'm thinking that signing will be off by default, with a simple
> `-g' global option to enable it.
> 
> Since adding -g to a .cvsrc might not be acceptable for users that work
> with multiple roots, I think this should also be implemented as a method
> option that can be added to a CVSROOT string
> <http://ximbiot.com/cvs/wiki/index.php?title=CVS--Concurrent_Versions_System_v1.12.12.1:_The_Repository#The_connection_method>.

What option name do you suggest? :ext;sign=yes: ?

> 
> Servers would have a three-level GPG requirement setting in CVSROOT/config:
> 
>     RequireGPGCommitSignatures=(no|yes|verify)

I don't know if the GPG name needs to be present or not. Folks could use
PGP or GPG or any other OpenPGP conformant program to get the job done,
couldn't they?

> 
> Where `no' means signatures are allowed but not required, `yes' means
> signatures are required, and `verify' means that signatures are required
> and that the server verifies that submitted signatures are valid before
> allowing a commit.

I'm not sure that verify makes sense as an administrator may want to do
this kind of checking in a commitinfo trigger and base it on the web of
trust for a given key rather just saying it was signed...

        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQFDNFIPCg7APGsDnFERAlGOAKCSiMEY25aILx+Hxe9/uG9uOGdELgCfR+ek
ij0lDon80jG3OALeBbn5fXw=
=Rj0p
-----END PGP SIGNATURE-----