On 11 August 2015 at 09:05, Matthias Maier <tam...@gentoo.org> wrote: > We could also provide automatic signed tags every 30min/1h/2h/whatever > (signed with a suitable infrastructure key). With that, the integrity of > a tagged git checkout can be easily verified on client side.
I'm distinctly under the impression that a signed tag doesn't really give you anything a signed commit wouldn't. That is, I was under the impression signing a tag only signs the references themselves, and then relies on SHA1 referential integrity beyond that. Hence, a signed tag basically is a statement proving X author authorized Y-SHA1, and then it subsequently implies that X author authorized whatever Y-SHA1 refers to. So adding additional tags *just* for the purpose of having a periodic signature would give no benefit over the "all tags are signed, all commits are signed" mechanism for git users, and the signed tag could _not_ be verified against an RSYNC clone. -- Kent KENTNL - https://metacpan.org/author/KENTNL
