|
|
|
|
|
|
by asharp
5134 days ago
|
|
|
From what i've read, the problem is that an attacker can add commits with forced Author information into a central repository to frame somebody else. Wouldn't the signing of all commits as they are committed solve this problem? (ie. rather then trusting Author information from the commit, trust the signed-by information to give author information?) |
|
|
The GPG signature cannot be forged (access to the private key is needed).