On Wed, Aug 20, 2014 at 5:06 AM, Junio C Hamano <gits...@pobox.com> wrote:
> While signed tags and commits assert that the objects thusly signed
> came from you, who signed these objects, there is not a good way to
> assert that you wanted to have a particular object at the tip of a
> particular branch.  My signing v2.0.1 tag only means I want to call
> the version v2.0.1, and it does not mean I want to push it out to my
> 'master' branch---it is likely that I only want it in 'maint', so
> the signature on the object alone is insufficient.
> The only assurance to you that 'maint' points at what I wanted to
> place there comes from your trust on the hosting site and my
> authentication with it, which cannot easily audited later.

I only had a quick read of a few important patches and may miss
something. But all this audit recording is left to the hook, right? I
suppose git-notes could be used to store the push cert. blob, or the
server could make a signed tag to record this info in the ref.. or do
you intend any other way to record these blobs?
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to