Hello, Le jeu. 18 déc. 2025 à 03:00, Tomas Volf <[email protected]> a écrit : > [the authentication] protects against compromised forge.
Git was initially released in 2005; GPG-signed commits were added later in Git 1.7.9 (2012) [1]. Git's original security model already provides compromised forge detection: - objects are content-addressed (SHA-1, now SHA-256), - history forms a Merkle tree, - any rewrite, injection, or silent modification by a forge is detectable. Commit signing strengthens author authentication and provenance, but compromised forge detection itself follows from Git's hash-based object model. Cheers, Bost [1] https://github.com/git/git/blob/c4a0c8845e2426375ad257b6c221a3a7d92ecfda/Documentation/RelNotes/1.7.9.adoc?plain=1#L56
