[pass] Killing plaintext git:// in favor of https:// cloning
Brian Minton
brian at minton.name
Tue Feb 23 15:20:23 CET 2016
No, but releases, aka tags, are.
On Tue, Feb 23, 2016, 9:06 AM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Tue, Feb 23, 2016 at 2:53 PM, Brian Minton <brian at minton.name> wrote:
> > Certainly got can sign individual tags with an OpenPGP key. Each commit
> is
> > also hashed and the hashes are known. If you sign every commit, or at
> least
> > every release, the code can't be tampered with. This is the workflow of,
> for
> > instance, the Linux kernel.
>
> False. Commits in Linux development are not routinely signed.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160223/37832d0e/attachment.html>
More information about the Password-Store
mailing list