Hi, On 09/15/2014 01:37 AM, Kent Fredric wrote: > On 15 September 2014 11:25, hasufell <hasuf...@gentoo.org> wrote: > >> Robin said >>> The Git commit-signing design explicitly signs the entire commit, >> including blob contents, to avoid this security problem. >> >> Is this correct or not? >> > > I can verify a commit by hand with only the commit object and gpg, but > without any of the trees or parents. > > https://gist.github.com/kentfredric/8448fe55ffab7d314ecb > >
So signing of git commits does not guarantee enough security (taking that SHA1 is weak and can be broken), right? Could we than just use usual (not thin) manifests? -- Jauhien
signature.asc
Description: OpenPGP digital signature
