[arch-dev-public] git packages and checksums

Johannes Löthberg johannes at kyriasis.com
Sun Jul 19 12:58:27 UTC 2015

On 18/07, Gaetan Bisson wrote:
>[2015-07-18 22:32:47 -0400] Dave Reisner:
>> Tags are more explicitly published by upstreams than commit hashes. I'm
>> not sure I understand the benefit of switching. Why is it preferrable to
>> use the "value" rather than the "pointer"? What makes it better?
>The commit hash is a checksum that ensures the integrity of the
>particular source tree you want. The tag, however, provides no
>information to verify the integrity.
>In other words, if someone hijacks your DNS resolver, github.com, or any
>other part of your connection to the git server, they can feed you
>malicious data and #tag=$version will never notice, while #commit=hash

Not to mention that it also prevents upstream from silently changing a 
tag, so that the package built will no longer be the same.

  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1495 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20150719/512f70af/attachment.asc>

More information about the arch-dev-public mailing list