‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > A "bad" commit might still be perfectly fine to fetch certain things from if > they're unaffected by it
The database could store a comment with each "bad" commit hash to help people decide if they're affected. It could even go further and include a list of tainted packages, so you could programmatically determine whether one of them is in your dependency tree. > you're now tasked with the job of keeping the list of bad commits safe > somehow. Right now afaik Ludovic's key is the root of trust (is this still true?) so I imagine we'd sign the list too, with that key or some other key signed by it. > In some situations resetting a branch might work, but obviously not for > months old sleeper commits. Not sure what you mean by this, can you explain?