Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Only signing releases is equivalent to saying "every bit of code I just released I trust and so should you". This means that you have to have reviewed every change to make sure someone didn't dupe you into signing a commit you didn't mean to.

Signing every commit is a much easier guarantee to make: "this change was made by me and I trust this change". In aggregate it's much better than just having signed releases (though of course you should sign releases in addition to this).



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: