RFC: snapshot tarball information in refs/notes/snapshots

Konstantin Ryabitsev mricon at kernel.org
Tue Mar 20 22:23:36 CET 2018

Hi, all:

I'd like to propose a feature in CGit that would allow providing
additional information within the repository to better create the
tarball, when snapshot downloads are enabled.

Let's take for example:

I would like the "Download" column to also list detached PGP signatures
for each of the listed tarballs, taking the necessary information from
refs/notes/snapshots. Let's say the following note is associated with
the v3.16.56 tag:


$ git notes --ref snapshots show v3.16.56

meta-version: 1.0
archive-prefix: linux-3.16.56/
archive-format: tar

Comment: This signature is for the .tar version of the archive



CGit could then use the information in this note to know that:

1. the archive needs to be created with --prefix linux-3.16.56/ instead
of guessing the prefix based on the repo and tag names
2. it needs to create and offer a link to download signature.asc (or
linux-3.16.56.tar.asc), which should contain all lines including and
following '-----BEGIN PGP SIGNATURE'

I think adding this feature would be very straightforward and won't
require a lot of work, while offering end-users a way to verify
downloaded snapshots.

What do you think?

Konstantin Ryabitsev
Director, IT Infrastructure Security
The Linux Foundation

More information about the CGit mailing list