Re: [pass] Killing plaintext git:// in favor of https:// cloning
Yes, releases are. Obviously this conversation extends to much more than releases, though. I sign tags too: https://git.zx2c4.com/cgit/tag/?h=v0.12 ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
Re: [pass] Killing plaintext git:// in favor of https:// cloning
On Tue, Feb 23, 2016 at 2:53 PM, Brian Minton wrote: > Certainly got can sign individual tags with an OpenPGP key. Each commit is > also hashed and the hashes are known. If you sign every commit, or at least > every release, the code can't be tampered with. This is the workflow of, for > instance, the Linux kernel. False. Commits in Linux development are not routinely signed. ___ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit