On 0825, Simon Richter wrote: >Hi, > >On 8/25/21 1:21 AM, Sean Whitton wrote: > >> From my point of view, signing git tags is no less well established a >>best practice than signing tarballs -- in fact, to me, it seems *more* >>well established. > >That is ecosystem dependent. > >FWIW, I'd love to see git bundles as a source archive format -- this would >allow shipping a (signed) tag, its commit, and the tree and blob objects for >that commit as a single file that can be built in a reproducible way and allows >changes on top to be easily tracked, including the branch point. > >In the absence of an "official" upstream release tarball, using this format >also makes it clear that this is a git snapshot, so no explanation is needed >how that archive was created.
Ecosystem-dependent or not, I can see being able to verify who uploaded the Git tag (or anything for that matter) as being increasingly valuably in a world where there is a lot of uncaught or ignored plagiarism. Uploaders and creators should have integrity so that their users can rely on them and be confident to deliver quality work. -- Best regards, Brian T
signature.asc
Description: PGP signature
