Re: git-pull and tag objects

[Theodore Tso <tytso@mit.edu>]

On Sat, Feb 10, 2007 at 09:56:25AM -0800, Linus Torvalds wrote:
> We could verify tags automatically, of course, but the question is, what 
> would the policy be? 

What I would propose (post-1.5.0!) is that the policy file be local to
the repository, and consist of an ordered list of regular expressions
and and lists of PGP keys associated with each regexp.  So for
example, I might have in my repository a config file which states that
any tag that matches v2.6.[0-9]+ and v2.6.[0-9]+-rc[0-9]+ must be
signed by PGP key 0x76E21CBB (Linus's key).

What I would very much like is for the tags to be automatically
verified whenever I do a git-fetch operation, and for me to get a big,
fat, warning if some tag isn't signed by an authoried key.

So this would help make sure that when I'm pulling from kernel.org,
I'm getting something that originally came from Linus, and someone
hasn't managed to insert trojan into the git tree, but it doesn't help
in between releases.  In order to solve that problem we would have to
have some kind of scheme where branch heads could be optionally
signed, and then transfered over to the public repository.  Then, in
the git config file, we could list an expected set of keys that should
sign any branch head for a particular tracking branch.  

Since all of this is local policy, someone who wanted to have a
different set of trusted peers, they could do so.  And, of course,
someone who wanted to run completely open with no gpg signature
checking at all could do so.  (aka "rms/rms mode" :-)

Does this make sense?

						- Ted