Secure supply chain (PGP) #9
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Currently, forgebuild does very little for security (support for https sources). We should support PGP signatures for repositories.
However, git's verification of signatures (no idea about mercurial) only verifies the signature of HEAD, not of every commit. This is good basic security for most needs.
For more sensitive systems, we should find inspiration in guix's channel introductions to ensure the whole commit history has been vetted.
With GNU/Guix 1.2, their secure supply chain has been exposed as a subcommand: guix git authenticate.
It's a perfect fit for our usecase.