Re: Git-commits mailing list feed.

From: Paul Jakma
Date: Sun Apr 24 2005 - 22:48:42 EST

On Mon, 25 Apr 2005, Paul Jakma wrote:

Uh, I have no idea whether verifying a signature of a commit object is sufficient, ie equivalent to signing each file.

commit refers to tree objects, which I presume lists the SHA-1 object IDs of files, but IIRC Linus already described why a signature of the commit object should not be used to trust the rest of commit.. (i'll have to find his mail). If so, an index is required.

Ah, apparently it is sufficient:


âJust signing the commit is indeed sufficient to just say "I trust this commit". But I essentially what to also say what I trust it _for_ as well.â

So this would work for commit objects.

It would also work for tag objects, if you pointed people at the signature
object rather than the actual tag object.

Paul Jakma paul@xxxxxxxx paul@xxxxxxxxx Key ID: 64A2FF6A
Humor in the Court:
Q. Were you aquainted with the deceased?
A. Yes, sir.
Q. Before or after he died?