Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: > On Sat, 10 Feb 2007, Jakub Narebski wrote: >> >> One of the solutions, used in git.git repository, is to put public key >> as a out-of-tree blob using git-hash-object, then tag it using singed tag >> with instruction about how to extract key in the tag message (tag comment). > > No. That's horrible. Yes, it's what Junio did, but if you don't trust the > archive, the _last_ thing you should do is to depend on a blob in the > archive itself to contain the thing to make you trust it more. True. I should have made it clear it was purely a convenient way for people to get the public key and verifying that key needs to be done on a separate channel. Otherwise it would have confused people (exactly like Jakub was confused). - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html