publish PGP-signed git bundles of gnulib?

[Simon Josefsson]

Hi!  What do you think about publishing

ftp://ftp.gnu.org/gnu/gnulib/gnulib-20241210-bundle
ftp://ftp.gnu.org/gnu/gnulib/gnulib-20241210-bundle.sig

Which would be a Git bundle of the gnulib git repository.

Read about Git bundles here:

https://git-scm.com/docs/git-bundle

It would be created something like this.  Probably stable-* branches
should be included too.

git clone https://git.savannah.gnu.org/git/gnulib.git
cd gnulib
git bundle create gnulib-20241210-bundle master
gpg --sign gnulib-20241210-bundle

Why you may ask?

1) If savannah is offline or compromised, having widely mirrored
known-good offline copies of the entire gnulib repository is nice.

2) Output of 'git clone' is not serialized or use a stable format, so a
'tar cfz gnulib-20241210.tar.gz gnulib/' works poorly.

3) It would add PGP-style authentication and integrity checking of the
repository.  Currently we only offer HTTPS only against Savannah and the
WebPKI is not as strong as trusting a PGP signature directly.

I thought about compression but git bundles appear to use good
compression already: 81MB without compression compared to 70MB with xz-9
so hardly important.

/Simon

signature.asc
Description: PGP signature