Hi, Sebastian Götte wrote: > git merge/pull: > When --verify-signatures is specified on the command-line of git-merge > or git-pull, check whether the commits being merged have good gpg > signatures and abort the merge in case they do not. This allows e.g. > auto-deployment from untrusted repo hosts. This leaves me pretty nervous. Is there an argument to pass in to specify a keyring with public keys to trust? Without that, it is presumably using ~/.gnupg/trustdb.gpg, which is about trust of identity rather than trust to provide code to run on my machine. :( If there's a good way to avoid that, this looks like a good thing to do, though. Hope that helps, Jonathan -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html