Add comment about why we're allowing xa.ref discrepancies sometimes
See https://github.com/flatpak/flatpak/pull/1013 for discussion.
Alexander Larsson
6 years ago
| 5103 | 5103 | |
| 5104 | 5104 | if (gpg_verify_summary) |
| 5105 | 5105 | { |
| 5106 | /* If we're using signed summaries, then the security is really due to the signatures on | |
| 5107 | * the summary, and the xa.ref is not needed for security. In particular, endless are | |
| 5108 | * currently using one single commit on multiple branches to handle devel/stable promotion. | |
| 5109 | * So, to support this we report branch discrepancies as a warning, rather than as an error. | |
| 5110 | * See https://github.com/flatpak/flatpak/pull/1013 for more discussion. | |
| 5111 | */ | |
| 5106 | 5112 | g_auto(GStrv) checkout_ref = NULL; |
| 5107 | 5113 | g_auto(GStrv) commit_ref = NULL; |
| 5108 | 5114 |