Investigate push-signing and transparency logs as mitigation for repository attacks

For background see:

• https://people.kernel.org/monsieuricon/signed-git-pushes
• https://korg.docs.kernel.org/gitolite/transparency-log.html

The idea here would be that some repositories (eg tor.git) could require signed pushes. Then we could archive these signed pushes in an append-only log, for auditing.

There are subproblems that would need to be solved for this to work:

• Only allow signed pushes on certain repositories (would require a per-repository gitolite hook).
• Allow signed pushes (requires setting certain options in gitconfig, see certNonceSeed, certNonceSlop, and advertisePushOptions)
• Make an append-only log of these signed pushes (possibly using trillian, possibly using some simpler transparency-log tool).
• Make a tool to audit this log and make sure that it's consistent and that it generates the current state of the repository.
• Decide what to do about key management.

And possibly:

• Make a tool that can be used at pull time to check the latest branch against the log.

There are also some sub-sub problems:

• Can we disable the merge button on target repositories?