Hello, Just a small comment.
On 12/07/2016 03:48 PM, Jelle van der Waa wrote: > * git url, but no #tag= or #commit= specified, should verify HEAD on the > #branch or no tag, commit, branch case. For a #commit=hash you shouldn't have to verify anything, since git itself guarantees that the code under a specific commit hash cannot change. Everything else can change, including tags, so those are suitable for pgp verification. Thanks, Travis
