What about the npub profile in GitWorkshop? Does that go by maintainer file or by who signed the ngit init event?
What if five people are maintainers and only one signed the init?
Discussion
How can you "verify" a repo init?
what would you like to verify about the repo init?
gitworkshop.dev goes by who signed the repo event (I think or maybe if someone is tagged as a maintainer it also shows - if this is the case it should be clearly marked and currently isn't)
Maybe npubs should be able to "verify" a maintainer tag and have it added to their profile. Then you'd have an event that could be queried.
Like, I'm about to add nostr:nprofile1qyg8wumn8ghj7mn0wd68ytnddakj7qgkwaehxw309anhyet9deek7atv9eehqctrv5hszxnhwden5te0dehhxarj9e6xsetnv9kk2cmpwshxjme0qqs8qy3p9qnnhhq847d7wujl5hztcr7pg6rxhmpc63pkphztcmxp3wgkaukss and nostr:nprofile1qy28wumn8ghj7un9d3shjctzd3jjummjvuhszythwden5te0dehhxarj9emkjmn99uq3xamnwvaz7tmsw4e8qmr9wpskwtn9wvhszxrhwden5te0ve5kcar9wghxummnw3ezuamfdejj7qgmwaehxw309a6xsetxdaex2um59ehx7um5wgcjucm0d5hsz9mhwden5te0wfjkccte9ehx7um5wghxyctwvshsqgxwr0u6myskfhez0072k2qnry7xp66qy8f4ha9mh3h6ynzkp58nay7de7kn as maintainers to GitCitadel. Can they then somehow sign/verify that and have the repo event show up in their profile under Repositories?
And could they later revoke that, if they want to leave a project?
Like, can we establish a nostr-link between an npub and a maintainer tag?
they should sign a repo event with the same information in. if they do `ngit init` it should prompt they for each parameter but default to whats listed in maintainers.yaml and your existing repo event.
if you are all listed in maintainers.yaml, ngit will use whichever event has the largest created_at date and tag all of your repo events in any patches.
Ah, okay. I didn't realize we could have parallel events. We'll have to try that out.
gitworkshop doesn't query the maintainers file. Its actually a little problematic for a web client to access specific files within a git repository from a git server.
Most git servers expose the file tree through their webserver. Can't we hack around and use this as a best effort to verify?
*yes. although I'm not sure how valuable the information is. it would only tell you that the maintainers.yaml file includes the npub that signed the event. how would the user know whether to trust the git repo hosted at that url?
*many git server implementations expose the raw files at specific commits / branches over https. the exact url differs between implementations. gitworkshop.dev uses it it to get the readme. FYI, if `git archive` was turned on by default by git servers we could use that. otherwise,to use the git protocol you need to shallow clone the repo. I considered doing this, but this is quite expensive for a stateless proxy.
Why not show both as different things (in case they are different)? A git commit can also have an author and a committer
Yeah ngit repos have an event author and maintainers. Authors don't even have to be maintainers, do they?