| 1 |
On 11 August 2015 at 09:05, Matthias Maier <tamiko@g.o> wrote: |
| 2 |
> We could also provide automatic signed tags every 30min/1h/2h/whatever |
| 3 |
> (signed with a suitable infrastructure key). With that, the integrity of |
| 4 |
> a tagged git checkout can be easily verified on client side. |
| 5 |
|
| 6 |
|
| 7 |
I'm distinctly under the impression that a signed tag doesn't really |
| 8 |
give you anything a signed commit wouldn't. |
| 9 |
|
| 10 |
That is, I was under the impression signing a tag only signs the |
| 11 |
references themselves, and then relies on SHA1 referential integrity |
| 12 |
beyond that. |
| 13 |
|
| 14 |
|
| 15 |
Hence, a signed tag basically is a statement proving X author |
| 16 |
authorized Y-SHA1, and then it subsequently implies that X author |
| 17 |
authorized whatever Y-SHA1 refers to. |
| 18 |
|
| 19 |
So adding additional tags *just* for the purpose of having a periodic |
| 20 |
signature would give no benefit over the "all tags are signed, all |
| 21 |
commits are signed" mechanism for git users, and the signed tag could |
| 22 |
_not_ be verified against an RSYNC clone. |
| 23 |
|
| 24 |
-- |
| 25 |
Kent |
| 26 |
|
| 27 |
KENTNL - https://metacpan.org/author/KENTNL |
Archives