Gregory Szorc <gregory.sz...@gmail.com> added the comment:
I don't like utilizing the dynamic archive links like https://github.com/python/cpython-source-deps/archive/libffi.zip (even if you pin the commit) because GitHub does not guarantee the file content is deterministic over time. I perform SHA-256 validation of all dependencies I download from the Internet. And if I rely on the /archive/ URLs, all it takes is GitHub updating some library that subtly changes the tar/zip structure and my hashes are invalidated. Release artifacts are immutable and don't have this problem. As it stands, I will likely `git clone` and check out the commit I need. Although I would prefer a release artifact. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue40293> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
