On Sun, Jun 22, 2014 at 1:34 PM, Rocki Hack <rocki.hack@xxxxxxxxx> wrote: > I quote Linus Torvalds once again... > > "Well, you can (sign commits), but it's always going to be inferior to > just adding a tag. > > The thing is, what is it you want to protect? The tree, the authorship, > the committer info, the commit log, what? > We're protecting each set of changes pushed to github. We have to protect them from tampering. If I pull some of your commits which are not signed by you, there is a real possibility that someone at github is doing something quite underhanded. The possibilities are endless. You do understand this simple attack, right? Bill