Re: Git-commits mailing list feed.

[Linus Torvalds]

On Sat, 23 Apr 2005, Junio C Hamano wrote:
> 
> If that is the case, can't you do it without introducing this
> new tag object, like this?

No, because I also want to sign the _name_ I gave it.

Otherwise somebody can take my "signed commit", and claim that I called it 
something else.

Just signing the commit is indeed sufficient to just say "I trust this
commit". But I essentially what to also say what I trust it _for_ as well.

And sure, I could make a totally bogus "commit" object that just points to 
the original commit, uses the same "tree" from that original commit, and 
write what I want to trust into that commit. I then sign that, and create 
yet _another_ commit that has the signature (and the pointer to the just 
signed commit) in its commit message, and then I point to _that_ commit.

So yes, we can certainly do this with playing games with commits. That 
sounds singularly ugly, though, since just doing a "tag" object is a lot 
more straightforward, and really tells the world what's going on (and 
makes it easy for automated tools to just browse the object database and 
see "that's a tag").

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/