[tz] Tonga returns to DST on 2016-11-06
eagle at eyrie.org
Fri Nov 4 20:09:42 UTC 2016
Andreas Heigl <andreas at heigl.org> writes:
> Am 04.11.16 um 20:37 schrieb Russ Allbery:
>> Andreas Heigl <andreas at heigl.org> writes:
>>> Am 04.11.16 um 20:15 schrieb Russ Allbery:
>>>> GitHub will verify the signatures on tags for you if you upload the PGP
>>>> public key used to sign the tags to GitHub, and show the signature as
>>>> verified in their UI. (Of course, that assumes you trust GitHub to do
>>>> that verification.)
>>> It's a feature from git itself, not github.
>>> It is based on GPG-Keys so there's no central trusted instance which can
>>> be a benefit or a curse depending on how you look at it.
>> You and I are talking about different things. I'm talking about the green
>> "Verified" text on, for example:
> we are actually talking abuot the same thing. The tag is signed with
> your private key. As soon as you upload your public key to github, they
> can verify the signed tag and add the "Verified" Text. And everyone else
> can verify the tag also as long as they have your public key.
> BTW: Since git 1.7.5 (I think) you can also sign commits and GitHub will
> mark them as verified.
Ah, okay, then we're just talking past each other. Yes, the tag signing
(and commit signing in general) is built into Git and you can have Git do
the verification. All I had meant to point out is that GitHub will also
do that verification and present the results in the UI, which may be
useful for less sophisticated users who don't want to configure Git and
who want to just download a tarball from GitHub, but want some guarantee
that this was a signed release.
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the tz