Gentoo Archives: gentoo-dev

From: "Andreas K. Huettel" <dilfridge@g.o>
To: gentoo-dev@l.g.o
Subject: Re: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
Date: Mon, 04 Jun 2012 20:53:53
Message-Id: 7308566.bhOiMBkA6R@grenadine
In Reply to: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing by Brian Harring
> A signed commit is a signing of the git metadata; tree hash > (literally, the state of the tree), committer, author, message, and > parent sha1. Each git commit includes it's parent sha1 in it; this > gives a locked history for a given commit sha1 (unless someone > preimages sha1). What matters is that the leaf node, the final point > in the graph, is signed- that's a dev sign off on effectively that > they created that particular locked history. Realistically signing of > each node is preferable, but the leaf is the minimal required.
No. What is signed is the "new data" plus the parent hash(es). No such thing as a "tree hash". -- Andreas K. Huettel Gentoo Linux developer kde, sci, arm, tex, printing

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing Ciaran McCreesh <ciaran.mccreesh@××××××××××.com>