1 |
On 11 August 2015 at 09:05, Matthias Maier <tamiko@g.o> wrote: |
2 |
> We could also provide automatic signed tags every 30min/1h/2h/whatever |
3 |
> (signed with a suitable infrastructure key). With that, the integrity of |
4 |
> a tagged git checkout can be easily verified on client side. |
5 |
|
6 |
|
7 |
I'm distinctly under the impression that a signed tag doesn't really |
8 |
give you anything a signed commit wouldn't. |
9 |
|
10 |
That is, I was under the impression signing a tag only signs the |
11 |
references themselves, and then relies on SHA1 referential integrity |
12 |
beyond that. |
13 |
|
14 |
|
15 |
Hence, a signed tag basically is a statement proving X author |
16 |
authorized Y-SHA1, and then it subsequently implies that X author |
17 |
authorized whatever Y-SHA1 refers to. |
18 |
|
19 |
So adding additional tags *just* for the purpose of having a periodic |
20 |
signature would give no benefit over the "all tags are signed, all |
21 |
commits are signed" mechanism for git users, and the signed tag could |
22 |
_not_ be verified against an RSYNC clone. |
23 |
|
24 |
-- |
25 |
Kent |
26 |
|
27 |
KENTNL - https://metacpan.org/author/KENTNL |