[arch-dev-public] git packages and checksums
johannes at kyriasis.com
Sun Jul 19 12:58:27 UTC 2015
On 18/07, Gaetan Bisson wrote:
>[2015-07-18 22:32:47 -0400] Dave Reisner:
>> Tags are more explicitly published by upstreams than commit hashes. I'm
>> not sure I understand the benefit of switching. Why is it preferrable to
>> use the "value" rather than the "pointer"? What makes it better?
>The commit hash is a checksum that ensures the integrity of the
>particular source tree you want. The tag, however, provides no
>information to verify the integrity.
>In other words, if someone hijacks your DNS resolver, github.com, or any
>other part of your connection to the git server, they can feed you
>malicious data and #tag=$version will never notice, while #commit=hash
Not to mention that it also prevents upstream from silently changing a
tag, so that the package built will no longer be the same.
PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1495 bytes
Desc: not available
More information about the arch-dev-public