[pass] Killing plaintext git:// in favor of https:// cloning
Jason A. Donenfeld
Jason at zx2c4.com
Tue Feb 23 15:03:00 CET 2016
On Tue, Feb 23, 2016 at 2:53 PM, Brian Minton <brian at minton.name> wrote:
> Certainly got can sign individual tags with an OpenPGP key. Each commit is
> also hashed and the hashes are known. If you sign every commit, or at least
> every release, the code can't be tampered with. This is the workflow of, for
> instance, the Linux kernel.
False. Commits in Linux development are not routinely signed.
More information about the Password-Store