On Thu, 2020-04-23 at 19:30 +0200, Christoph Anton Mitterer wrote: [...] > It would be nice if the handbook tells people how to verify their > repos by proper git means, i.e. verify signautres on tags.
Yes, definitely. > At least for (2), Linus signs the tags, and the Debian kernel source > package contains Linus' and Greg's keys, so a user could at least > quite simply verify everything up to and including the repective tag. > > > For the (1) I guess you guys don't use signatures, though. :-/ All but 2 of the tags we've made since converting from Subversion to git are signed. Ben. -- Ben Hutchings For every complex problem there is a solution that is simple, neat, and wrong.
signature.asc
Description: This is a digitally signed message part
