On Fri, Aug 05, 2016 at 09:35:59AM +0200, Andy Wingo wrote: > Yeah. I guess I don't see see "author misattribution on unsigned > commits" as part of the threat model. > > My mental model is that if you have a signed commit A with unsigned > parents B, C, ..., that it's the person who signed commit A who signs > off on commits B, C, and so on. That person attests to the integrity of > that range of commits, *including* the author field(s).
But, how does anyone know that the person who signed A attests to B and C? I don't think Git has a feature that conveys that intention.
