Junio C Hamano wrote: > Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: >> On Sat, 10 Feb 2007, Jakub Narebski wrote: >>> >>> One of the solutions, used in git.git repository, is to put public key >>> as a out-of-tree blob using git-hash-object, then tag it using singed tag >>> with instruction about how to extract key in the tag message (tag comment). >> >> No. That's horrible. Yes, it's what Junio did, but if you don't trust the >> archive, the _last_ thing you should do is to depend on a blob in the >> archive itself to contain the thing to make you trust it more. > > True. I should have made it clear it was purely a convenient > way for people to get the public key and verifying that key > needs to be done on a separate channel. Otherwise it would have > confused people (exactly like Jakub was confused). Gaah, perhaps I wasn't clear: I mentioned this as a method to _transfer_ the actual data for public key (I thought the question was about that). Not that one should place any trust because tags are signed by in-repo key... -- Jakub Narebski Poland - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html