18 Mar
2005
18 Mar
'05
2:41 a.m.
* Ronald G. Minnich rminnich@lanl.gov [050317 22:35]:
It is enough to use ssh. THOUGH: It is highly recommended that you sign the commits so that the origin can be verified. (ie otherwise I could in theory fake a commit done by you)
to make sure I understand: if I have a gpgkey, then the commit process will automagically ensure that it is signed, which is not the case for sshkey?
You have to do the following: $ mkdir -p ~/.arch-params/signing $ echo "gpg --clearsign" > ~/.arch-params/signing/=default $ echo "gpg --verify-files -" > ~/.arch-params/signing/=default.check
* gpg is only there to proof integrity of the checkins * ssh only gives you access to the machine
Stefan