Gentoo Archives: gentoo-dev

From: "Andreas K. Huettel" <dilfridge@g.o>
To: gentoo-dev@l.g.o
Subject: Re: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing
Date: Mon, 04 Jun 2012 20:53:53
Message-Id: 7308566.bhOiMBkA6R@grenadine
In Reply to: Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing by Brian Harring
1 > A signed commit is a signing of the git metadata; tree hash
2 > (literally, the state of the tree), committer, author, message, and
3 > parent sha1. Each git commit includes it's parent sha1 in it; this
4 > gives a locked history for a given commit sha1 (unless someone
5 > preimages sha1). What matters is that the leaf node, the final point
6 > in the graph, is signed- that's a dev sign off on effectively that
7 > they created that particular locked history. Realistically signing of
8 > each node is preferable, but the leaf is the minimal required.
9
10 No. What is signed is the "new data" plus the parent hash(es).
11
12 No such thing as a "tree hash".
13
14 --
15 Andreas K. Huettel
16 Gentoo Linux developer
17 kde, sci, arm, tex, printing

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] Git braindump: 1 of N: merging & git signing Ciaran McCreesh <ciaran.mccreesh@××××××××××.com>