On Thu, Sep 24, 2015 at 05:41:06PM -0700, Junio C Hamano wrote: > Of course, this can be improved if we start using signed push into > GitHub. It is a separate issue in the sense that it would help > GitHub to make that assurance stronger---those who fetch/clone can > be assured that the tips of branches are what I pushed, without even > trusting GitHub. It's been on my todo list to investigate this further, but I just haven't gotten around to it. My understanding is that GitHub would need to store your signed-push certificate somewhere (e.g., in a git tree that records all of the push certs). If the point is for clients not to trust GitHub, though, it doesn't really matter what GitHub does with the cert, as long as it is put somewhere that clients know to get it. So I wonder if it would be helpful to have a microformat that the client would use to look at this. E.g., it would fetch the cert tree, then confirm that the current ref values match the latest cert. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html