You’ll need someone to mirror it to IPFS anyway or if the original upload point is IPFS, to have commit access. Can’t you just have them sign mappings of IPFS hashes <–> git blob hash with their key? You have to trust them anyway.
If that’s not decentralized enough, you can use something like Freenet’s WebOfTrust. This would be useful for many other applications as well.
Here’s how it could be done for this particular use case:
- Start with git blob hash B
- Get the IPFS hash mapping from the most trusted node
- If it matches, assign positive trust to all nodes which asserted this was a valid mapping
- If it doesn’t match, assign negative trust to all nodes which asserted this was a valid mapping, return to step 2.
- If you’ve checked all hash mapping assertions from all nodes and none of them are valid, only then you can download it from a centralized server (and of course upload it to IPFS)
Since nobody would waste trusted keys on causing a minor slowdown for someone, you’ll in practice just have to perform steps 1 and 2.
Thoughts?