[arch-dev-public] git packages and checksums

Jerome Leclanche jerome at leclan.ch
Sun Jul 19 04:52:39 UTC 2015

On 19 July 2015 at 05:43, Gaetan Bisson <bisson at archlinux.org> wrote:
> [2015-07-18 22:32:47 -0400] Dave Reisner:
>> Tags are more explicitly published by upstreams than commit hashes. I'm
>> not sure I understand the benefit of switching. Why is it preferrable to
>> use the "value" rather than the "pointer"? What makes it better?
> The commit hash is a checksum that ensures the integrity of the
> particular source tree you want. The tag, however, provides no
> information to verify the integrity.
> In other words, if someone hijacks your DNS resolver, github.com, or any
> other part of your connection to the git server, they can feed you
> malicious data and #tag=$version will never notice, while #commit=hash
> will.
> --
> Gaetan

git tags can and should be pgp-signed, especially if the upstream is
relying purely on git for releases. Is any package not covered by

J. Leclanche

More information about the arch-dev-public mailing list