On Tue, Aug 20, 2013 at 08:32:21PM +0200, Stephan Beal wrote: > On Tue, Aug 20, 2013 at 8:07 PM, John Long <[email protected]> wrote: > > > I need to go back in the archives and see where I can find an example of > > this but in the meantime to ask the obvious, is fossil verifying the > > signatures as part of the commit process or does fossil simply carry the > > data so the signature can be verified manually? > > > > It simply carries them over and accounts for them while parsing manifests. > If there is code to verify them, i haven't seen it yet.
If you're working on flagging PGP commits then it would be really nice to say PGP in red if the signature doesn't verify or green if it does or something like that. Otherwise saying "PGP" on a commit does more harm than good imho. Personally for hosted projects I'd like to see a feature that has an option to verify the signature on commits before committing them as a protection against unauthorized access to the repo (weak passwords, http instead of https etc.) /jl _______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
