On Mon, 2007-01-15 at 10:00 +0000, Andy Parkins wrote: > Hello, > > I was just talking to another developer in my office about version control. > He's working with Windows so has chosen Monotone for a version control > system. I didn't have any huge objections, as I'm sure monotone can be > migrated to git without much trouble (they look to support the same features > from my brief reading). The decision to use SHA1 hashes for all objects comes from Monotone, so the design has to be somewhat similar. > Of course my favourite is git, but we were talking about the certificates > needed by monotone for each developer. I assume that monotone therefore > signs every commit. It obviously crossed my mind as to how one would do that > with git? We obviously already have the ability to sign a tag, but is there > a way in which one could sign every commit. You'd need to automatically generate a signed tag for every commit (for example in a post-commit hook? Or use a wrapper script for git-commit which runs git-tag -s afterwards) > > The more I think about it, the more it could be a reasonable question. In my > own repository I can obviously create whatever commits i like, claiming them > to be from whomever I like just by altering a few config settings. If I put > a few of those in my own repository and then managed to persuade Junio to > pull from me - wouldn't I have faked commits from another developer? > However, I wouldn't be able to fake a gpg signature. You just explained why no one should pull from people he does not trust. I think it would be overkill to sign every single commit, signed tags are enough to sign the whole history (as everyone should know by now). Matthias - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html