1 |
On Mon, Jun 4, 2012 at 8:45 AM, Dirkjan Ochtman <djc@g.o> wrote: |
2 |
> |
3 |
> Well, it doesn't seem like a big deal IF there's an explicit merge |
4 |
> commit that's signed by a dev. |
5 |
|
6 |
I'm not sure about that. If you were verifying a tree, how would you |
7 |
identify which commits were merged in by what dev, using an automated |
8 |
algorithm? |
9 |
|
10 |
The only thing the merge commit contains is a list of two parents, and |
11 |
a tree. It doesn't say which one is which, unless we can rely on |
12 |
their order. Now, all those intermediate commits were never actually |
13 |
published via rsync, so their integrity isn't a direct issue. |
14 |
However, I'm not sure how easy automated verification would be. |
15 |
|
16 |
Rich |