From: Deskin Miller <deskinm@umich.edu>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: git@vger.kernel.org
Subject: Re: [RFC PATCH 4/4] Make git fetch verify signed tags
Date: Thu, 27 Nov 2008 19:19:01 -0500 [thread overview]
Message-ID: <20081128001901.GC29662@euler> (raw)
In-Reply-To: <alpine.DEB.1.00.0811241143410.30769@pacific.mpi-cbg.de>
On Mon, Nov 24, 2008 at 11:44:40AM +0100, Johannes Schindelin wrote:
> Hi,
>
> On Sun, 23 Nov 2008, Deskin Miller wrote:
>
> > When git fetch downloads signed tag objects, make it verify them right
> > then. This extends the output summary of fetch to include "(good
> > signature)" for valid tags and "(BAD SIGNATURE)" for invalid tags. If
> > the user does not have the correct key in the gpg keyring, gpg returns
> > 2, verify_tag_sha1 returns -2 and nothing additional is output about the
> > tag's validity.
>
> This must be turned off by default, IMO. You cannot expect each and every
> developer to have gpg _and_ all those public keys installed.
Adding a configuration variable to control this makes sense, and is on
my TODO list for v2 (core.autoVerifyTags?). However, I don't see a
compelling reason to make it off by default, as if gpg isn't found, or a
particular public key isn't in the keyring, the output is no different
from what fetch prints now.
Deskin Miller
next prev parent reply other threads:[~2008-11-28 0:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-24 3:23 [RFC PATCH 0/4] Teach git fetch to verify signed tags automatically Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 1/4] Refactor builtin-verify-tag.c Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 2/4] verify-tag.c: ignore SIGPIPE around gpg invocation Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 3/4] verify-tag.c: suppress gpg output if asked Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 4/4] Make git fetch verify signed tags Deskin Miller
2008-11-24 10:44 ` Johannes Schindelin
2008-11-28 0:19 ` Deskin Miller [this message]
2008-11-24 11:04 ` [RFC PATCH 1/4] Refactor builtin-verify-tag.c Johannes Schindelin
2008-11-28 0:18 ` Deskin Miller
2008-11-24 4:53 ` [RFC PATCH 0/4] Teach git fetch to verify signed tags automatically Junio C Hamano
2008-11-24 5:30 ` Junio C Hamano
2008-11-28 0:09 ` Deskin Miller
2008-11-28 1:18 ` Johannes Schindelin
2008-11-24 10:41 ` Johannes Schindelin
2008-11-28 0:18 ` Deskin Miller
2008-11-28 1:43 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081128001901.GC29662@euler \
--to=deskinm@umich.edu \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.