Public Git hosting - pull request in signed email

If someone can do DNS spoofing, or break in to my server, then Linus can have no guarantee that what he pulled is what I wanted him to pull. Adding the SHA1 of the commit can give him that guarantee.

The mail reader I use (clawsmail) verifies email signatures quite nicely, and will even fetch keys for me. I don't think it warns me when someone changes keys which is something I would like.

Even emacs/vm can check mail signing...

I assumed that the bits that were too cumbersome were the signing and verification built in to git-tag.