[pass] Killing plaintext git:// in favor of https:// cloning

Brian Minton brian at minton.name
Tue Feb 23 15:26:16 CET 2016


master bminton.is-a-geek.net:~/src/linux$ git tag -v v4.5-rc1
object 92e963f50fc74041b5e9e744c330dca48e04f08d
type commit
tag v4.5-rc1
tagger Linus Torvalds <torvalds at linux-foundation.org> 1453669617 -0800

Linux 4.5-rc1
gpg: Signature made Sun 24 Jan 2016 04:06:57 PM EST
gpg:                using RSA key 79BE3E4300411886
gpg: Good signature from "Linus Torvalds <torvalds at linux-foundation.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886
master bminton.is-a-geek.net:~/src/linux$

On Tue, Feb 23, 2016, 9:20 AM Brian Minton <brian at minton.name> wrote:

> No, but releases, aka tags, are.
>
> On Tue, Feb 23, 2016, 9:06 AM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
>> On Tue, Feb 23, 2016 at 2:53 PM, Brian Minton <brian at minton.name> wrote:
>> > Certainly got can sign individual tags with an OpenPGP key. Each commit
>> is
>> > also hashed and the hashes are known. If you sign every commit, or at
>> least
>> > every release, the code can't be tampered with. This is the workflow
>> of, for
>> > instance, the Linux kernel.
>>
>> False. Commits in Linux development are not routinely signed.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160223/c07214a9/attachment.html>


More information about the Password-Store mailing list