On Mon, Jun 4, 2012 at 8:45 AM, Dirkjan Ochtman <firstname.lastname@example.org> wrote:
> Well, it doesn't seem like a big deal IF there's an explicit merge
> commit that's signed by a dev.
I'm not sure about that. If you were verifying a tree, how would you
identify which commits were merged in by what dev, using an automated
The only thing the merge commit contains is a list of two parents, and
a tree. It doesn't say which one is which, unless we can rely on
their order. Now, all those intermediate commits were never actually
published via rsync, so their integrity isn't a direct issue.
However, I'm not sure how easy automated verification would be.