Thread (1 message) 1 message, 1 author, 2016-06-15

Re: [git patches] libata updates, GPG signed (but see admin notes)

From: Junio C Hamano <hidden>
Date: 2016-06-15 22:52:21

Ted Ts'o [off-list ref] writes:
Suppose the project wasn't Linus, but some other project, say, a
...
this, and are good (Kevin Mitnick or better) at social engineering
attacks.

In this sort of scenario, it's useful if *other* people could
independently verify the Troll3 git tree via the crypto signatures,
even though the central maintainer couldn't be bothered to check the
crypto signatures.
I think we are in total agreement here ;-)
Here's an idea.... what if the "signed push" information could be
embedded into the merge commit's description? That is, the
information could sent via a signed git tag, or some other mechanism,...
I think you described what the signed-commit series that is cooking in
'next' is about way better than I have done so far ;-)

The contributors sign the tips of their histories (which can independently
be validated), the integrator pulls and can choose to bother or not to
bother the tips s/he obtains, and the integrator signs his/her tip before
s/he pushes the integration result out for general consumption.
...
The problem with notes and tags is that they have to be pushed
separately, and might get lost; where as if they are stored in the
merge commit's description, they will always be there.
Exactly.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help