18 Jul
2015
18 Jul
'15
11:43 p.m.
[2015-07-18 22:32:47 -0400] Dave Reisner:
Tags are more explicitly published by upstreams than commit hashes. I'm not sure I understand the benefit of switching. Why is it preferrable to use the "value" rather than the "pointer"? What makes it better?
The commit hash is a checksum that ensures the integrity of the particular source tree you want. The tag, however, provides no information to verify the integrity. In other words, if someone hijacks your DNS resolver, github.com, or any other part of your connection to the git server, they can feed you malicious data and #tag=$version will never notice, while #commit=hash will. -- Gaetan