[SGVLUG] Keysigning

Jeremy Leader jleader at alumni.caltech.edu
Mon Dec 2 13:18:42 PST 2013


On 12/01/2013 07:34 PM, Henry B Hotz wrote:
> On Nov 30, 2013, at 10:51 AM, Diane Trout <diane at ghic.org
> <mailto:diane at ghic.org>> wrote:
>> So when one of them signed a some Python software I had reason to believe that
>> it was certified by a person I had met. (You can get to stronger levels of
>> trust in a piece of software using signed commits in git).
>
> Could someone please explain what this means? Git uses stronger crypto than PGP?

It's not that the crypto is stronger, but that the information vouched for by 
the signatures is more detailed, because each individual step in developing the 
software is signed by the individual who committed it to the git repository.

It's debatable whether this level of trust is "stronger", though obviously in 
combination, the 2 forms of signing are more trustworthy than either alone.

-- 
Jeremy Leader
jleader at alumni.caltech.edu



More information about the SGVLUG mailing list