On 28/12/2016 08:43, Miroslav Rovis wrote: > > It's a different topic, but it might have the unreliability of > keyservers for its justification: > > The fact that Github, since this outgoing year, accept gpg signing only > if you post your public key to their servers. > > Or does it? Is it more like Github wants to collect and control? > > I know it was possible to: > > $ cd <your git project> > $ git tag <version> -s > $ git push --tags > > and all was there, signed and verifiable for everbody, without the need > to have previously posted your own public key to github.com. Up until > just last year, IIRC. > > Any ideas for true reasons behind that move? And is it an improvement, > or quite the contrary? >
Until this year there was no way to verify the signature of commits and releases through the GitHub website, so they created a "kind of" keyserver in their own server to manage users public keys. -- Alexandre Oliveira 167F D82F 514A E8D1 2E9E C62D 1B63 9D4A 7E9D DA9D _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
