Victor Duchovni:
> On Thu, Oct 01, 2009 at 01:46:51PM -0400, Wietse Venema wrote:
>
> > Then we agree. A system that computes SHA1 without secret key
> > provides no detection of after-the-fact changes.
>
> Except that the SHA-1 signature is just 20 bytes covering the entire
> tree, and there are *many* trees (no single master), with some more
> stable than others, the digests of the stable trees can be signed and/or
> saved off-line. Tampering with prior history in a tree is hard, if
> one wants to convince all the other tree copies that the the altered
> tree is genuine. One can of course create new leaf nodes (patches),
> but these are clearly visible as new revisions.
>
> So "git" is IIRC more tamper-evident than it seems at first glance,
> provided that there are lots of trees (which is typically the case),
> and developers notice that their tree is inconsistent with the previously
> common history of a tree they are pulling from or pushing to.
I'll be certain about the correctness a single instance, and avoid
the complexities of 'correctness by majority vote' after the fact.
Wietse
