Jeff King <peff@xxxxxxxx> writes: > On Tue, Jan 26, 2016 at 10:29:42AM -0500, Santiago Torres wrote: > >> > If you cannot trust those with write access to a repo that you are >> > pulling and installing from you might want to re-check where you are >> > pulling or installing from ;) >> >> Yeah, I see your point, but mechanisms to ensure the server's origin can >> be bypassed (e.g., a MITM). I don't think it would hurt to ensure the >> source pointed to is the source itself. The tag signature can help us do >> this. > > Right. I think the more interesting use case here is "I trust the > upstream repository owner, but I do not trust their hosting site of > choice." Yup, and push-certificate is there to help with that issue. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html