On 07/06/2014 05:25 AM, Nico Kadel-Garcia wrote: > Some of that is in the '[packagename].medatada' file. Problem is, it's > inside the repository itself. The more common approach, built into git > directly for *exactly* this sort of use, is to use GPG signed tags. > It's possible to remove and replace a tag, but the GPG signature helps > assure that if that occurs, at least it was *intentional* by the owner > of the GPG tag. if you can MITM the content, nothing signed or otherwise is assured to be in any sate. -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc