Benjamin_Loison/Verified_repositories
1
0
Fork 0
Code Issues 5 Pull Requests Packages Projects Releases Wiki Activity
Personal verified repositories
16 Commits 1 Branch 0 Tags 41 KiB
master
Go to file
Benjamin Loison 38e27c698c
Precise in README.md alternative method when having contributed to the repository of someone else to prove authenticity of own commits
2023-02-01 17:47:45 +01:00
repositories Add gitlab.com/gitlab-org/omnibus-gitlab 2023-02-01 01:53:48 +01:00
README.md Precise in README.md alternative method when having contributed to the repository of someone else to prove authenticity of own commits 2023-02-01 17:47:45 +01:00

README.md

Personal verified repositories

This repositories has two aims:

  • as the web of trust, people trusting me can trust the repositories states that I verified
  • serve as a personal memo to keep track of personal verified states of repositories that I use and briefly comment as far as I know their legitimacy

Note that by repository state I mean the actual state of a repository at a given commit id, so marking a repository at a given commit as verified doesn't mean that previous commits were also verified. Only the resulting state at the given commit id was verified.

The current trust level is defined as looking legitimate, I don't guarantee that to the best of my knowledge there isn't any security vulnerability.

Meta-informations related to a git, such as dependencies (not the legitimate aspect but the verified one), issues, pull requests..., aren't verified yet but may be in the future, if so it would be precised as such.

Default template:

{
    // Mandatory: git state hash verified.
    "commit": "0123456789abcdef0123456789abcdef01234567",
    // Optional (default: "VERIFIED"): xor of following flags (written as `FLAG_0 | FLAG_1 | ... | FLAG_N`):
    // - `VERIFIED_ONLY_OWN_COMMITS`: means that the whole git state wasn't verified but the verifier commits were verified (note that using this flag for repositories that aren't managed by the verifier requires verifier commits to be signed and to precise the fingerprint of his public key in this `README.md` for instance) otherwise the commit hashes have to be precised in a way
    // - `CLOSED_SOURCE_DEPENDENCY`
    // - `UNVERIFIED_INITIAL_COMMIT`
    "status": "VERIFIED",
    // Optional (default: ""): verifier comment concerning the git state verified
    "comment": ""
}