[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Mike Swanson mikeonthecomputer at gmail.com
Sun Feb 26 05:49:07 UTC 2017

On Fri, 2017-02-24 at 16:01 -0500, Eli Schwartz wrote:
> Congratulations, you have just won today's FUD award!

The goal, as I understood it, is to promote the practice of upstream
developers (project maintainers, release managers, whomever) signing
their code so that downstream users and packagers can verify that the
source they receive is identical to what upstream wants to put out.
For me, trusting the "generate an archive" to a third party is in
opposition of promoting good practice.  I don't care if GitHub is good
today, they may not be good tomorrow, and if an upstream gets cozy to
the idea of "just download the GitHub archive" to sign off a release,
they open themselves up to a world of hurt when GitHub (or anyone
successfully pulling off a MITM attack -- unlikely with HTTPS, but not
entirely impossible) starts messing with those archives,
inserting/changing things not supposed to be there.

I do believe there is a healthy amount of uncertainty and doubt to take
here.  It's great that GitHub generates archives today that are
identical to git-archive's own files.  It may not always be the case.

> For everyone else on this thread, what that Wiki *really* said, is:
> > 4. Go back to your "Releases" section and download the tarball
> > mysoftware-0.4.tar.gz automatically generated by GitHub. Verify that
> > the tarball contains exactly the same data as the git repository.

The wiki also skimmed over exactly how to do this. "diff -r", comparing
checksums from git-archive, diffoscope?

> Also, that Wiki page actually gave the original source for Mike's
> plagiarized local example. But someone should probably fix that Wiki,
> and Mike's untested plagiarism... because I, having actually tested it
> myself, can confirm those commands don't work on account of someone
> being really confused what a "tag" is.

I stopped reading after the prior point, but thanks for accusing me of
plagiarism when their example doesn't even take the same route I did. 
Or accusing me of having it untested.  I use the command all the time. 
It works.

(And if you're saying any upstream developer doesn't understand what a
tag is, I'm sorry.  It's irresponsible to not know how to use your own
tooling.  Learn git and get good at it.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170225/40fa63fd/attachment-0001.asc>

More information about the pacman-dev mailing list