On Mon, Apr 9, 2018 at 9:52 PM, Mike Hommey <m...@glandium.org> wrote:
> On Tue, Apr 10, 2018 at 02:46:40PM +1000, Martin Thomson wrote: > > This seems like a good idea. > > > > Please consider adding hg.mozilla.org to your list of things you will > > clone from. That will allow us to remove some ugly hacks from the > > tree for vendoring NSS and NSPR. (libffi uses the same script, but it > > seems to be on GitHub now, so that seems like an easy win assuming > > even that libffi still uses that script.) We could use the NSS GitHub > > mirror, but NSPR doesn't have one yet and those can't be the only > > projects that we have using mercurial. Of course, if that is the > > case, then don't worry, we'll just have to talk more seriously about > > moving NSS to GitHub. > > > > You don't permit the use of a tag for vendoring, is that intentional? > > Tags for releases are so commonplace that you should consider it. You > > shouldn't need a branch AND a tag either. More so because branches > > move, which makes them not reliable here. > > > > Having a version in addition to a tag is redundant and therefore > > likely to result in mismatches. I'd say that the tag is enough. > > I'd say a revision should be mandatory. Branches and tags can change. > Revisions can't. I'll reaffirm this. The full hash of a revision - at least in Mercurial and Git - means more than a branch or a tag. Both the branch name and a tag are symbolic and can move. Even if you GPG sign a tag, someone could steal your signing key and re-sign a new tag for a different revision and a VCS `verify` command would happily accept it because the signature is valid! A revision hash, however, is constant for all of time and a revision hash cannot change out from under you to refer to different content. Or at least that's the theory. Hash collisions /could/ occur. However, the actual probability of a hash collision is currently far less than the probability that someone moves a pointer on the symbolic branch or tag name because a SHA-1 preimage attack is currently far more difficult than running VCS operations [that Mercurial or Git let you run out of the box] which let you update a symbolic name. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
