From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Tue, 23 Feb 2016 15:03:00 +0100
Subject: [pass] Killing plaintext git:// in favor of https:// cloning
In-Reply-To: <CANyOob14C3cZuwkQBpEv=Tr==KY=oULyUg7NX3B6vb8mfRkgDg@mail.gmail.com>
References: <CAHmME9p061Kh9wGjpa7xT9FkssW8Aybz=+PZngrUJXmaeAGqEg@mail.gmail.com>
 <20160223011957.GA788@dcvr.yhbt.net>
 <CAHmME9oJ5wnd2y5smLe0MF16Ao9TB8VNTX__sHOvPK5qYPCMRA@mail.gmail.com>
 <CANyOob14C3cZuwkQBpEv=Tr==KY=oULyUg7NX3B6vb8mfRkgDg@mail.gmail.com>
Message-ID: <CAHmME9o1cr9mLs9miunLdvO32PUH3+Cfg_pAi-DoV9pY4LM6ZA@mail.gmail.com>

On Tue, Feb 23, 2016 at 2:53 PM, Brian Minton <brian at minton.name> wrote:
> Certainly got can sign individual tags with an OpenPGP key. Each commit is
> also hashed and the hashes are known. If you sign every commit, or at least
> every release, the code can't be tampered with. This is the workflow of, for
> instance, the Linux kernel.

False. Commits in Linux development are not routinely signed.