Hi, On Sun, 23 Nov 2008, Deskin Miller wrote: > When git fetch downloads signed tag objects, make it verify them right > then. This extends the output summary of fetch to include "(good > signature)" for valid tags and "(BAD SIGNATURE)" for invalid tags. If > the user does not have the correct key in the gpg keyring, gpg returns > 2, verify_tag_sha1 returns -2 and nothing additional is output about the > tag's validity. This must be turned off by default, IMO. You cannot expect each and every developer to have gpg _and_ all those public keys installed. Ciao, Dscho -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
