[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Should we stop distributing source tarballs?
From: Jin Liu <m.liu.jin () gmail ! com>
Date: 2024-04-04 11:28:09
Message-ID: CAHBr4f8XSM57xHiUyegjdgZt3tSpMi=xKCcoy4E6mJ-kvXUcXw () mail ! gmail ! com
[Download RAW message or body]
The tree-id of a git commit is effectively a checksum of all files. So you
can ask packagers to pull a specific commit and verify either commit-id or
tree-id. No extra verification step needed.
Sune Vuorela <nospam@vuorela.dk> =E4=BA=8E 2024=E5=B9=B44=E6=9C=884=E6=97=
=A5=E5=91=A8=E5=9B=9B 17:48=E5=86=99=E9=81=93=EF=BC=9A
> On 2024-04-03, Albert Vaca Cintora <albertvaka@gmail.com> wrote:
> > What's the advantage of providing tarballs?
>
> I do think there is an advantage in being able to verify that the soure
> tarball is the same across distributions. Using a checksum on the
> tarball is an easy way of doing it. Different git invocations for git
> archive, different tar options and so on can create different checksums
> for the same content.
>
> I do also think it is nice if we get someone else to verify that the
> tarball we ship actually matches the tag. I think some people in
> distributions have already started looking into verifying that.
>
> Also, git tags can be moved.
>
> /Sune
>
>
[Attachment #3 (text/html)]
<div dir="auto"><div dir="auto">The tree-id of a git commit is effectively a checksum \
of all files. So you can ask packagers to pull a specific commit and verify either \
commit-id or tree-id. No extra verification step needed.</div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">Sune Vuorela <<a \
href="mailto:nospam@vuorela.dk" target="_blank" \
rel="noreferrer">nospam@vuorela.dk</a>> 于 2024年4月4日周四 \
17:48写道:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 2024-04-03, Albert Vaca Cintora \
<<a href="mailto:albertvaka@gmail.com" rel="noreferrer noreferrer" \
target="_blank">albertvaka@gmail.com</a>> wrote:<br> > What's the advantage \
of providing tarballs?<br> <br>
I do think there is an advantage in being able to verify that the soure<br>
tarball is the same across distributions. Using a checksum on the<br>
tarball is an easy way of doing it. Different git invocations for git<br>
archive, different tar options and so on can create different checksums<br>
for the same content.<br>
<br>
I do also think it is nice if we get someone else to verify that the<br>
tarball we ship actually matches the tag. I think some people in<br>
distributions have already started looking into verifying that.<br>
<br>
Also, git tags can be moved.<br>
<br>
/Sune<br>
<br>
</blockquote></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic