Re: Validating tarballs against git repositories
On Fri, Mar 29, 2024 at 06:21:27PM -0600, Antonio Russo wrote:
>...
> 1. Move towards allowing, and then favoring, git-tags over source tarballs
>...
git commit IDs, not tags.
Upstream moving git tags does sometimes happen.
Usually for bad-but-not-malicious reasons like "add one more last-minute fix",
but using tags would also invite to manipulation similar to what
happened with xz at any point after the release.
> Best,
> Antonio Russo
cu
Adrian
Reply to: