On Tue, Apr 29, 2008 at 5:46 AM, Jurko Gospodnetić<jurko.gospodnetic@xxxxxxxx> wrote:>> > I think you are missing the point. One of the pluses behind originally> > using SHA-1 and the signed tags is that the system as a whole is> > cryptographically secure. You can verify from the public key of> > whoever made the tag that yes, this really is the source and history> > they tagged.> >>> I am not really sure I follow this.... how can you 'verify from the public> key of whoever made the tag' that the SHA-1 hash is correct!? SHA-1 does not> have anything do with any externally provided keys or have I managed to get> something confused here?>
Sorry for the confusion, its about using the signed tag and the SHA-1of the parent commits, along with their associated trees and blobs toverify the source and history. If you can't trust the signed tag, orall of the SHA-1's, you can't trust the source and history.
However, as many said, I don't think there is any reason to not trustSHA-1 is the context of source control.˙ôčş{.nÇ+?ˇ?Ž??+%?Ë˙ąéÝś�Ľ?w˙ş{.nÇ+?ˇ ?ßâ?Ř^n?rĄöŚzË�?ëh?¨čÚ&ŁűŕzżäzšŢ?ú+?Ę+zfŁ˘ˇh??§~??Űi˙˙ď?ę˙?ęçz_čŽ�ćj:+v?¨ţ)ߣřm
