Re: Git-commits mailing list feed.

From: Paul Jakma
Date: Sun Apr 24 2005 - 22:43:35 EST

On Mon, 25 Apr 2005, Paul Jakma wrote:

You dont even need it, see my other mail. If:

- the signature is an object and added after the commit object

- tools know that signatures are 'proxies of' or precursors to the
objects they are signing (which makes sense, a signature by
definition refers to something else)

- the signature object refers to the object it is signing (eg a
'Signing <object ID>' header)

Then head can simply be the signature object and tools can find the commit by following the 'Signing' field of the signature (they dont even need to check the signature is valid). No index lookup needed.

You only need the index for historical verification really, and you can always generate an index if needs be. (and have the tools maintain it).

Uh, I have no idea whether verifying a signature of a commit object is sufficient, ie equivalent to signing each file.

commit refers to tree objects, which I presume lists the SHA-1 object IDs of files, but IIRC Linus already described why a signature of the commit object should not be used to trust the rest of commit.. (i'll have to find his mail). If so, an index is required.

Paul Jakma paul@xxxxxxxx paul@xxxxxxxxx Key ID: 64A2FF6A
Old programmers never die, they just hit account block limit.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at