From: Deskin Miller <deskinm@umich.edu>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: git@vger.kernel.org
Subject: Re: [RFC PATCH 0/4] Teach git fetch to verify signed tags automatically
Date: Thu, 27 Nov 2008 19:18:25 -0500 [thread overview]
Message-ID: <20081128001825.GA29662@euler> (raw)
In-Reply-To: <alpine.DEB.1.00.0811241140280.30769@pacific.mpi-cbg.de>
On Mon, Nov 24, 2008 at 11:41:27AM +0100, Johannes Schindelin wrote:
> On Sun, 23 Nov 2008, Deskin Miller wrote:
>
> > -What to do if a tag is found to have a bad signature?
>
> Or even worse: if the public key was not found? In dubio pro reo, they
> say, but OTOH you asked to verify the signatures...
I don't see how not finding the public key is `worse' than a bad
signature. Compared to what the user learns currently when they run git
fetch and receive new signed tags, the case of not having the required
public key leaves them in exactly the same state: the user does not know
whether the signature is valid or not.
The user didn't ask to verify, as I see it; rather, they asked git to
*try* to verify. If that fails in a way they don't expect, they're free
to investigate further with git tag -v for situations like not having
the right public key.
Deskin Miller
next prev parent reply other threads:[~2008-11-28 0:19 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-24 3:23 [RFC PATCH 0/4] Teach git fetch to verify signed tags automatically Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 1/4] Refactor builtin-verify-tag.c Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 2/4] verify-tag.c: ignore SIGPIPE around gpg invocation Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 3/4] verify-tag.c: suppress gpg output if asked Deskin Miller
2008-11-24 3:23 ` [RFC PATCH 4/4] Make git fetch verify signed tags Deskin Miller
2008-11-24 10:44 ` Johannes Schindelin
2008-11-28 0:19 ` Deskin Miller
2008-11-24 11:04 ` [RFC PATCH 1/4] Refactor builtin-verify-tag.c Johannes Schindelin
2008-11-28 0:18 ` Deskin Miller
2008-11-24 4:53 ` [RFC PATCH 0/4] Teach git fetch to verify signed tags automatically Junio C Hamano
2008-11-24 5:30 ` Junio C Hamano
2008-11-28 0:09 ` Deskin Miller
2008-11-28 1:18 ` Johannes Schindelin
2008-11-24 10:41 ` Johannes Schindelin
2008-11-28 0:18 ` Deskin Miller [this message]
2008-11-28 1:43 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081128001825.GA29662@euler \
--to=deskinm@umich.edu \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).