On Tue, Feb 23, 2016 at 2:53 PM, Brian Minton <[email protected]> wrote: > Certainly got can sign individual tags with an OpenPGP key. Each commit is > also hashed and the hashes are known. If you sign every commit, or at least > every release, the code can't be tampered with. This is the workflow of, for > instance, the Linux kernel.
False. Commits in Linux development are not routinely signed. _______________________________________________ CGit mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/cgit
