On Wed, Aug 20, 2014 at 5:06 AM, Junio C Hamano <gitster@xxxxxxxxx> wrote: > While signed tags and commits assert that the objects thusly signed > came from you, who signed these objects, there is not a good way to > assert that you wanted to have a particular object at the tip of a > particular branch. My signing v2.0.1 tag only means I want to call > the version v2.0.1, and it does not mean I want to push it out to my > 'master' branch---it is likely that I only want it in 'maint', so > the signature on the object alone is insufficient. > > The only assurance to you that 'maint' points at what I wanted to > place there comes from your trust on the hosting site and my > authentication with it, which cannot easily audited later. I only had a quick read of a few important patches and may miss something. But all this audit recording is left to the hook, right? I suppose git-notes could be used to store the push cert. blob, or the server could make a signed tag to record this info in the ref.. or do you intend any other way to record these blobs? -- Duy -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html