Jeff King <peff@xxxxxxxx> writes: > If the point is for clients not to trust GitHub, though, it doesn't > really matter what GitHub does with the cert, as long as it is put > somewhere that clients know to get it. Correct. A spiffy Web interface that says "Click this button and we show you the output of GPG signature verification" would not help. The push certificate is all about allowing third-parties to conduct an independent audit, so anything the hosting site computes using the certificates does not add value, unless the certificates themselves are exported for such an independent audit. If somebody found a change to "git push" that makes it pick the user's wallet and sends a few coins every time it talks to the hosting site, the hosting site can say it is not their doing by showing that the tip of the commit that contains such a change came from me, and it is not their evil doing. Push certificates help the hosting site prove their innocence, and those who do not trust the site can still be convinced by the claim. There is one scenario that signed push would not help very much, though. The hosting site cannot deny that it did not receive a push. Following such an incident (perhaps the evil change came as a side effect of a innocuous looking patch), I would push a commit that fixes such an issue out to the hosting site (with signed commit). But if the hosting site deliberately keeps the tip of the branch unmodified (e.g. you can appear to accept the push to the pusher, without updating what is served to the general public), there will be more people who will fetch from the hosting site to contaminate their copy of git and the damage will spread in the meantime. When I finally complain to the hosting site that it is deliberately rejecting the fix that would rob them the illicit revenue source, it does not help the hosting site to keep copies of push certificates when it wants to refute such a complaint. "We publish all push certificates and there is no record that gitster already tried to fix the issue" has to be taken with faith in that scenario. So push certificate is not perfect. But it does protect hosting sites and projects hosted on them. > So I wonder if it would be > helpful to have a microformat that the client would use to look at this. > E.g., it would fetch the cert tree, then confirm that the current ref > values match the latest cert. Yeah, that is one possibility. Just a single flat file that concatenates all the push cert in the received order would do as an export format, too ;-) -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html