Re: Git-commits mailing list feed.

[Paul Jakma]

On Mon, 25 Apr 2005, Paul Jakma wrote:

> You dont even need it, see my other mail. If:
>
> - the signature is an object and added after the commit object
>
> - tools know that signatures are 'proxies of' or precursors to the
>  objects they are signing (which makes sense, a signature by
>  definition refers to something else)
>
> - the signature object refers to the object it is signing (eg a
>  'Signing <object ID>' header)
>
> Then head can simply be the signature object and tools can find the 
> commit by following the 'Signing' field of the signature (they dont 
> even need to check the signature is valid). No index lookup needed.

> You only need the index for historical verification really, and you can 
> always generate an index if needs be. (and have the tools maintain it).

Uh, I have no idea whether verifying a signature of a commit object 
is sufficient, ie equivalent to signing each file.

commit refers to tree objects, which I presume lists the SHA-1 object 
IDs of files, but IIRC Linus already described why a signature of the 
commit object should not be used to trust the rest of commit.. (i'll 
have to find his mail). If so, an index is required.

regards,
--
Paul Jakma	paul@xxxxxxxx	paul@xxxxxxxxx	Key ID: 64A2FF6A
Fortune:
Old programmers never die, they just hit account block limit.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/