[arch-dev-public] git packages and checksums

Gaetan Bisson bisson at archlinux.org
Sun Jul 19 03:43:37 UTC 2015

[2015-07-18 22:32:47 -0400] Dave Reisner:
> Tags are more explicitly published by upstreams than commit hashes. I'm
> not sure I understand the benefit of switching. Why is it preferrable to
> use the "value" rather than the "pointer"? What makes it better?

The commit hash is a checksum that ensures the integrity of the
particular source tree you want. The tag, however, provides no
information to verify the integrity.

In other words, if someone hijacks your DNS resolver, github.com, or any
other part of your connection to the git server, they can feed you
malicious data and #tag=$version will never notice, while #commit=hash


More information about the arch-dev-public mailing list