On 18/07, Gaetan Bisson wrote:
[2015-07-18 22:32:47 -0400] Dave Reisner:Tags are more explicitly published by upstreams than commit hashes. I'm not sure I understand the benefit of switching. Why is it preferrable to use the "value" rather than the "pointer"? What makes it better?The commit hash is a checksum that ensures the integrity of the particular source tree you want. The tag, however, provides no information to verify the integrity. In other words, if someone hijacks your DNS resolver, github.com, or any other part of your connection to the git server, they can feed you malicious data and #tag=$version will never notice, while #commit=hash will.
Not to mention that it also prevents upstream from silently changing a tag, so that the package built will no longer be the same.
-- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/
signature.asc
Description: PGP signature
