Hi, On 1/8/26 5:01 PM, Simon Josefsson wrote:
Things stored in git doesn't offer those guarantees. Neither the git repository, nor a git-bundle or a git-archive output provide long-term archival properties. I'm not aware of any documented/supported way to reproduce a particular artifact from a git repository 20 years ahead. Even to the contrary: git is more or less documented to NOT offer this functionality, since changes are happening.
Right, we need to keep that in mind, even if git-archive happens to behave like this right now.
OTOH I think we can make signatures on bundles work by using the object ID of the ref we're signing, and verifying internal consistency.
More attack surface than a flat file that we don't need to interpret for checksumming, and we need to handle the case where a new upload contains a bundle that is not bitwise identical but has the same checksum, but I believe that handling is trivial (ignore the new file).
Simon
