On Wed, Dec 09, 2015 at 02:24:17PM -0800, Stefan Beller wrote: > On Wed, Dec 9, 2015 at 2:04 PM, Jeff King <peff@xxxxxxxx> wrote: > > > > Of course you can't just fetch the v1.7.1.4 tag _now_, because the same > > person impersonating the most recent tag could also be impersonating > > (and back-dating) the older tags. But you could fetch it now, store it > > somewhere trusted (e.g., on your laptop), and wait two weeks. If you > > find no public outcry over hacked git, then it is probably OK to assume > > that is the real key. > > > > With all of us pointing out 96AFE6CB being the right hash, you may or may not > trust the list enough to also trust the key now. Who's to assume that I actually checked that 96AFE6CB is right? ;) Actually, I don't typically verify Junio's tag signatures. I fetch and run "make" daily, far more often than he signs, so I would have been p0wned long ago. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html