On Fri, 2017-02-24 at 16:01 -0500, Eli Schwartz wrote:
Congratulations, you have just won today's FUD award!
The goal, as I understood it, is to promote the practice of upstream developers (project maintainers, release managers, whomever) signing their code so that downstream users and packagers can verify that the source they receive is identical to what upstream wants to put out. For me, trusting the "generate an archive" to a third party is in opposition of promoting good practice. I don't care if GitHub is good today, they may not be good tomorrow, and if an upstream gets cozy to the idea of "just download the GitHub archive" to sign off a release, they open themselves up to a world of hurt when GitHub (or anyone successfully pulling off a MITM attack -- unlikely with HTTPS, but not entirely impossible) starts messing with those archives, inserting/changing things not supposed to be there. I do believe there is a healthy amount of uncertainty and doubt to take here. It's great that GitHub generates archives today that are identical to git-archive's own files. It may not always be the case.
For everyone else on this thread, what that Wiki *really* said, is:
4. Go back to your "Releases" section and download the tarball mysoftware-0.4.tar.gz automatically generated by GitHub. Verify that the tarball contains exactly the same data as the git repository.
The wiki also skimmed over exactly how to do this. "diff -r", comparing checksums from git-archive, diffoscope?
Also, that Wiki page actually gave the original source for Mike's plagiarized local example. But someone should probably fix that Wiki, and Mike's untested plagiarism... because I, having actually tested it myself, can confirm those commands don't work on account of someone being really confused what a "tag" is.
I stopped reading after the prior point, but thanks for accusing me of plagiarism when their example doesn't even take the same route I did. Or accusing me of having it untested. I use the command all the time. It works. (And if you're saying any upstream developer doesn't understand what a tag is, I'm sorry. It's irresponsible to not know how to use your own tooling. Learn git and get good at it.)