Hi, On Thu, 27 Nov 2008, Deskin Miller wrote: > This patch series mitigates this risk by trying to verify each signed > tag when it is first fetched. Since, however, not everyone is concerned > with the security of signed tags, this feature tries to be conservative > insofar as signatures with public keys which are missing from the user's > keyring do not cause anything to be said about the tag's validity; Now, in the context of security, this is not conservative. Conservative would be to fail as soon as a signature could not be verified, be it that there is no key to match against, or that the signature is corrupt. Your notion to fail silently if the necessary keys were not found makes your patch series rather useless, no? After all, the whole idea is to let Git check if every signature is correct, and when Git does not fail, rely on them being valid. So I think that the _only_ thing that would make sense is to fail _unless_ all the signatures were verified to be correct. _That_ is why I want this feature to be off by default. Ciao, Dscho -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
