Investigate push-signing and transparency logs as mitigation for repository attacks

For background see:

The idea here would be that some repositories (eg tor.git) could require signed pushes. Then we could archive these signed pushes in an append-only log, for auditing.

There are subproblems that would need to be solved for this to work:

Only allow signed pushes on certain repositories (would require a per-repository gitolite hook).
Allow signed pushes (requires setting certain options in gitconfig, see certNonceSeed, certNonceSlop, and advertisePushOptions)
Make an append-only log of these signed pushes (possibly using trillian, possibly using some simpler transparency-log tool).
Make a tool to audit this log and make sure that it's consistent and that it generates the current state of the repository.
Decide what to do about key management.

And possibly:

Make a tool that can be used at pull time to check the latest branch against the log.

There are also some sub-sub problems:

Can we disable the merge button on target repositories?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information