Jonathan Nieder <jrnieder@xxxxxxxxx> writes: >> git merge/pull: >> When --verify-signatures is specified on the command-line of git-merge >> or git-pull, check whether the commits being merged have good gpg >> signatures and abort the merge in case they do not. This allows e.g. >> auto-deployment from untrusted repo hosts. > > This leaves me pretty nervous. Is there an argument to pass in to > specify a keyring with public keys to trust? Without that, it is > presumably using ~/.gnupg/trustdb.gpg, which is about trust of > identity rather than trust to provide code to run on my machine. :( I think people who create a real merge via "git pull" and use that as "auto-deployment" mechanism is insane, but presumably that "auto" tells us some other things, like it will be done by non-human account, its $HOME/.gnupg would contain only the keyring that is for the auto deployer, or the cronscript that runs "git pull" can set GNUPGHOME and export it before doing so. So, I wouldn't be worried about it too much. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html