"brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > I know that Git definitely does not know how to verify those signatures, > though, so many people would end up not verifying them. True that many people would end up not verifying them, but I do not think Git has much to do with that. Some contributors seem to send PGP signed patches to this list (and I once mildly asked them not to, but these days I simply do not care), and if I had their public keys marked as trusted, my mail-reading environment would do the verification for me totally outside Git (as this part of the workflow is not about Git, but about communicating over authenticated and cryptographically protected messages, whose contents happen to be patches), and I'll just "git am" knowing that the patch is from the contributor who has access to that trusted key. The "key" (no pun intended) in the above is "if I had" part. The overhead of retrieving, validating, and keeping the key for a contributor becomes worth it only after the contributor turns out to be very prolific one. The Web of trust, while was very attractive as a concept, is not so convenient to maintain well enough to be relied on as an infrastructure.
