Re: Validating tarballs against git repositories

To: Antonio Russo <aerusso@aerusso.net>
Cc: debian-devel <debian-devel@lists.debian.org>
Subject: Re: Validating tarballs against git repositories
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 30 Mar 2024 22:58:54 +0200
Message-id: <[🔎] Zgh9Dk99EF0yb6qJ@localhost>
In-reply-to: <[🔎] 2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net>
References: <[🔎] 2fbfdafc-31f1-43df-be49-f6b0725bfb3e@aerusso.net>

On Fri, Mar 29, 2024 at 06:21:27PM -0600, Antonio Russo wrote:
>...
> 1. Move towards allowing, and then favoring, git-tags over source tarballs
>...

git commit IDs, not tags.

Upstream moving git tags does sometimes happen.

Usually for bad-but-not-malicious reasons like "add one more last-minute fix",
but using tags would also invite to manipulation similar to what 
happened with xz at any point after the release.

> Best,
> Antonio Russo

cu
Adrian

Reply to:

References:
- Validating tarballs against git repositories
  - From: Antonio Russo <aerusso@aerusso.net>

Prev by Date: Is it allowed to remove attribution in public domain "licensed" source code? (and pondering about ftp-level reviews)
Next by Date: Re: xz backdoor
Previous by thread: Re: Validating tarballs against git repositories
Next by thread: Bug#1068048: ITA: gnu-which -- Utility to show the full path of commands
Index(es):
- Date
- Thread