On 2007-01-15 05:43:36 -0500, Shawn O. Pearce wrote:
> If you don't trust the owner, but you trust the pusher, than using 1
> annotated tag per push is reasonable and gives you something to
> verify the repository owner isn't playing games. If you don't trust
> the pusher than you should be reviewing the changes before deciding
> to keep them in your project.
>
> But even then annotated tags are overkill. You could just receive
> the commit SHA1 out-of-band from the pusher (e.g. email, like
> Junio's hidden X-master-at header) and verify that by hand. 8 digits
> is probably more than enough to hand-verify the entire commit chain
> you are receiving.
No. You've just constructed a system whose security depends on a
32-bit hash. This is one of those situations where you really do need
all the digits.
--
Karl Hasselström, kha@xxxxxxxxxxx
www.treskal.com/kalle
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html