> Why do you think that seeing a username on Github is any different...
I don't.
> It is your own misunderstanding that seeing a username on Github implies it's verified.
I'm not confused. Others appear to be. My comment was in reply to a poster who seemed to be indicating that git lacked the ability to verify signed commits and tags.
I was informing him that git does indeed have that ability, and that its absence from GitHub is a GitHub problem, not a git problem.
You've leapt to an entirely unsupportable conclusion about my familiarity with git and commit/tag signing. :)
My informal, entirely unscientific survey of folks who use GitHub leads me to believe that they are -on average- less proficient with git, git concepts, and the notion of cryptographic signing than the average person who uses the git CLI.
This [0] appears to be the closest that the GH documentation gets to saying "anyone can commit with anyone else's email address". Adding support and graphics for tag and commit signature verification -along with support for tag/commit signing in the GitHub client- might be a nice thing to do for users who are not so familiar with git.
Oh, also:
> You need to git-verify [to verify unverified email addresses attached to git commits] in both cases.
git-verify-* is actually only useful on signed commits/tags. If a commit/tag hasn't been signed, it exits with a non-zero exit code and does nothing else. Given that the vast majority of commits one will run into will not be signed, git-verify-* typically won't help you to determine the validity of the authorship of a commit/tag. Reading the -very short- man page of either command would have caused you to understand this. :)
I don't.
> It is your own misunderstanding that seeing a username on Github implies it's verified.
I'm not confused. Others appear to be. My comment was in reply to a poster who seemed to be indicating that git lacked the ability to verify signed commits and tags.
I was informing him that git does indeed have that ability, and that its absence from GitHub is a GitHub problem, not a git problem.
You've leapt to an entirely unsupportable conclusion about my familiarity with git and commit/tag signing. :)
My informal, entirely unscientific survey of folks who use GitHub leads me to believe that they are -on average- less proficient with git, git concepts, and the notion of cryptographic signing than the average person who uses the git CLI.
This [0] appears to be the closest that the GH documentation gets to saying "anyone can commit with anyone else's email address". Adding support and graphics for tag and commit signature verification -along with support for tag/commit signing in the GitHub client- might be a nice thing to do for users who are not so familiar with git.
Oh, also:
> You need to git-verify [to verify unverified email addresses attached to git commits] in both cases.
git-verify-* is actually only useful on signed commits/tags. If a commit/tag hasn't been signed, it exits with a non-zero exit code and does nothing else. Given that the vast majority of commits one will run into will not be signed, git-verify-* typically won't help you to determine the validity of the authorship of a commit/tag. Reading the -very short- man page of either command would have caused you to understand this. :)
[0] https://help.github.com/articles/why-are-my-commits-linked-t...