On Mon, Nov 24, 2008 at 11:41:27AM +0100, Johannes Schindelin wrote: > On Sun, 23 Nov 2008, Deskin Miller wrote: > > > -What to do if a tag is found to have a bad signature? > > Or even worse: if the public key was not found? In dubio pro reo, they > say, but OTOH you asked to verify the signatures... I don't see how not finding the public key is `worse' than a bad signature. Compared to what the user learns currently when they run git fetch and receive new signed tags, the case of not having the required public key leaves them in exactly the same state: the user does not know whether the signature is valid or not. The user didn't ask to verify, as I see it; rather, they asked git to *try* to verify. If that fails in a way they don't expect, they're free to investigate further with git tag -v for situations like not having the right public key. Deskin Miller -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
