Hi,

On Sun, 13 Dec 2015 18:38:55 +0100 Patrick Lauer wrote:
> On 12/13/2015 06:36 PM, Patrick Lauer wrote:
> >  So apparently we're signing things with gpg now
> 
> And a related question:
> 
> How would I actually verify the signatures in a meaningful way?

git log --show-signature does this using GnuPG.

Of course, in order to gpg to work one have to mark dev keys as
trusted, they can be verified using ldap or several public
keyservers. LDAP is more reliable, of course, but this method works
only for devs (and probably some stuff members) having an access
here.

> ... and why is that not default then.


Best regards,
Andrew Savchenko