[CentOS-devel] Back on CentOS-devel to get some git.centos.org improvements

Sun Jul 6 09:29:03 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 07/06/2014 05:25 AM, Nico Kadel-Garcia wrote:
> Some of that is in the '[packagename].medatada' file. Problem is, it's
> inside the repository itself. The more common approach, built into git
> directly for *exactly* this sort of use, is to use GPG signed tags.
> It's possible to remove and replace a tag, but the GPG signature helps
> assure that if that occurs, at least it was *intentional* by the owner
> of the GPG tag.

if you can MITM the content, nothing signed or otherwise is assured to
be in any sate.

Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc