Sebastian Götte wrote:

> git merge/pull:
> When --verify-signatures is specified on the command-line of git-merge
> or git-pull, check whether the commits being merged have good gpg
> signatures and abort the merge in case they do not. This allows e.g.
> auto-deployment from untrusted repo hosts.

This leaves me pretty nervous.  Is there an argument to pass in to
specify a keyring with public keys to trust?  Without that, it is
presumably using ~/.gnupg/trustdb.gpg, which is about trust of
identity rather than trust to provide code to run on my machine. :(

If there's a good way to avoid that, this looks like a good thing to
do, though.

Hope that helps,
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to