Personal verified repositories
Benjamin Loison
f04e95cfae
Note that here I talk about commits and not git state. I don't even know if talking about global commits diff like a git state diff make sense as commits happening between the first and last known to date verifier can contain commits from other users. |
||
|---|---|---|
| repositories | ||
| README.md | ||
Personal verified repositories
This repositories has two aims:
- as the web of trust, people trusting me can trust the repositories states that I verified
- serve as a personal memo to keep track of personal verified states of repositories that I use and briefly comment as far as I know their legitimacy
Note that by repository state I mean the actual state of a repository at a given commit id, so marking a repository at a given commit as verified doesn't mean that previous commits were also verified. Only the resulting state at the given commit id was verified.
The current trust level is defined as looking legitimate, I don't guarantee that to the best of my knowledge there isn't any security vulnerability.
Meta-informations related to a git, such as dependencies (not the legitimate aspect but the verified one), issues, pull requests..., aren't verified yet but may be in the future, if so it would be precised as such.
Default template:
{
// Mandatory: git state hash verified.
"commit": "0123456789abcdef0123456789abcdef01234567",
// Optional (default: "VERIFIED"): xor of following flags (written as `FLAG_0 | FLAG_1 | ... | FLAG_N`):
// - `VERIFIED_ONLY_OWN_COMMITS`: means that the whole git state wasn't verified but the verifier commits were verified (note that using this flag for repositories that aren't managed by the verifier requires verifier commits to be signed and to precise the fingerprint of his public key in this `README.md` for instance)
// - `CLOSED_SOURCE_DEPENDENCY`
// - `UNVERIFIED_INITIAL_COMMIT`
"status": "VERIFIED",
// Optional (default: ""): verifier comment concerning the git state verified
"comment": ""
}