On Tue, Feb 23, 2016 at 2:53 PM, Brian Minton <br...@minton.name> wrote: > Certainly got can sign individual tags with an OpenPGP key. Each commit is > also hashed and the hashes are known. If you sign every commit, or at least > every release, the code can't be tampered with. This is the workflow of, for > instance, the Linux kernel.
False. Commits in Linux development are not routinely signed. _______________________________________________ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit