From mboxrd@z Thu Jan  1 00:00:00 1970
From: mricon at kernel.org (Konstantin Ryabitsev)
Date: Tue, 20 Mar 2018 17:23:36 -0400
Subject: RFC: snapshot tarball information in refs/notes/snapshots
Message-ID: <20180320212336.GA19694@work>

Hi, all:

I'd like to propose a feature in CGit that would allow providing
additional information within the repository to better create the
tarball, when snapshot downloads are enabled.

Let's take for example:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git

I would like the "Download" column to also list detached PGP signatures
for each of the listed tarballs, taking the necessary information from
refs/notes/snapshots. Let's say the following note is associated with
the v3.16.56 tag:

---8<---

$ git notes --ref snapshots show v3.16.56

meta-version: 1.0
archive-prefix: linux-3.16.56/
archive-format: tar

-----BEGIN PGP SIGNATURE-----
Comment: This signature is for the .tar version of the archive

iHUEABYIAB0WIQR2vl2yUnHhSB5njDW2xBzjVmSZbAUCWrF3LQAKCRC2xBzjVmSZ
bLKiAQDWqg0B2DVA8QxGGqx3/5Ymkj4qKhqNT806+lkbfSFcfgEA3ZJonPCcL14Q
BAYrSkxzKXcI8NBPcq8torN+JibwAQo=
=IXM5
-----END PGP SIGNATURE-----

---8<---

CGit could then use the information in this note to know that:

1. the archive needs to be created with --prefix linux-3.16.56/ instead
of guessing the prefix based on the repo and tag names
2. it needs to create and offer a link to download signature.asc (or
linux-3.16.56.tar.asc), which should contain all lines including and
following '-----BEGIN PGP SIGNATURE'

I think adding this feature would be very straightforward and won't
require a lot of work, while offering end-users a way to verify
downloaded snapshots.

What do you think?

Best,
-- 
Konstantin Ryabitsev
Director, IT Infrastructure Security
The Linux Foundation