Jeff King <p...@peff.net> writes:

> On Tue, Jan 26, 2016 at 10:29:42AM -0500, Santiago Torres wrote:
>
>> > If you cannot trust those with write access to a repo that you are
>> > pulling and installing from you might want to re-check where you are
>> > pulling or installing from ;)
>> 
>> Yeah, I see your point, but mechanisms to ensure the server's origin can
>> be bypassed (e.g., a MITM). I don't think it would hurt to ensure the
>> source pointed to is the source itself. The tag signature can help us do
>> this.
>
> Right. I think the more interesting use case here is "I trust the
> upstream repository owner, but I do not trust their hosting site of
> choice."

Yup, and push-certificate is there to help with that issue.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to