[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Eli Schwartz eschwartz93 at gmail.com
Fri Feb 24 21:01:52 UTC 2017 

On 02/24/2017 03:27 PM, Mike Swanson wrote:
> On Fri, 2017-02-24 at 14:52 +0100, Bruno Pagani wrote:
>> Debian wrote a nice page about this:
>> https://wiki.debian.org/Creating%20signed%20GitHub%20releases
> 
> This wiki offers bad advice.  It trusts that GitHub itself is not
> compromised and will provide a good download based on the repository
> alone.
> 
> Thankfully, because GitHub normally just uses `git archive` and those
> releases are deterministic, it can be solved by using your local
> repository alone, for example:
> 
> $ git archive --format=tar.gz --prefix=mysoftware-0.4/ mysoftware-0.4 \
>   | gpg -a -b -o mysoftware-0.4.tar.gz.asc

Congratulations, you have just won today's FUD award!

For everyone else on this thread, what that Wiki *really* said, is:
> 4. Go back to your "Releases" section and download the tarball
> mysoftware-0.4.tar.gz automatically generated by GitHub. Verify that
> the tarball contains exactly the same data as the git repository.

Also, that Wiki page actually gave the original source for Mike's
plagiarized local example. But someone should probably fix that Wiki,
and Mike's untested plagiarism... because I, having actually tested it
myself, can confirm those commands don't work on account of someone
being really confused what a "tag" is.

The following git alias does work for the latest tag on $currentbranch,
assuming the repo is cloned to a directory named the same as the remote
repo name (but for more robustness, parse the output of `git config
--get remote.$(git config --get branch.master.remote).url`). Which I
believe is a reasonable assumption to make.

```
[eschwartz at arch ~]$ git config --get alias.github-archive
!sh -c 'repo=$(basename $(pwd)) && tag=$(git describe --abbrev=0 --tags)
&& git archive --prefix=${repo}-${tag#v}/ -o ${repo}-${tag#v}.tar.gz ${tag}'
```


-- 
Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170224/8ce55e0f/attachment.asc>

More information about the pacman-dev mailing list