On Wed, Sep 28, 2011 at 00:03, Junio C Hamano <gitster@xxxxxxxxx> wrote: > Joseph Parmelee <jparmele@xxxxxxxxxxxx> writes: > >> Under the present circumstances, and particularly considering the >> sensitivity of the git code itself, I would suggest that you implement >> signed detached digital signatures on all release tarballs. > > Well, signed tags are essentially detached signatures. People can verify > tarballs against them if they wanted to, although it is a bit cumbersome. Aren't tarballs used to get git on machines that don't yet have git? -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html