On 19 July 2015 at 05:43, Gaetan Bisson <bisson@archlinux.org> wrote:
[2015-07-18 22:32:47 -0400] Dave Reisner:
Tags are more explicitly published by upstreams than commit hashes. I'm not sure I understand the benefit of switching. Why is it preferrable to use the "value" rather than the "pointer"? What makes it better?
The commit hash is a checksum that ensures the integrity of the particular source tree you want. The tag, however, provides no information to verify the integrity.
In other words, if someone hijacks your DNS resolver, github.com, or any other part of your connection to the git server, they can feed you malicious data and #tag=$version will never notice, while #commit=hash will.
-- Gaetan
git tags can and should be pgp-signed, especially if the upstream is relying purely on git for releases. Is any package not covered by that? J. Leclanche