On Mon, Jun 4, 2012 at 8:45 AM, Dirkjan Ochtman <[email protected]> wrote: > > Well, it doesn't seem like a big deal IF there's an explicit merge > commit that's signed by a dev.
I'm not sure about that. If you were verifying a tree, how would you identify which commits were merged in by what dev, using an automated algorithm? The only thing the merge commit contains is a list of two parents, and a tree. It doesn't say which one is which, unless we can rely on their order. Now, all those intermediate commits were never actually published via rsync, so their integrity isn't a direct issue. However, I'm not sure how easy automated verification would be. Rich
