ppkarwasz opened a new issue, #1154: URL: https://github.com/apache/tooling-trusted-releases/issues/1154
[SWHIDs](https://www.swhid.org/) are content-addressed identifiers modelled on Git's own object model: think of them as Git tree/blob hashes, but defined as an open standard and usable across arbitrary directory structures and archive formats. The key primitive is the `dir` identifier: a Merkle hash over a directory tree, computed the same way Git computes a tree object's SHA-1. Because the algorithm is format-agnostic, you can compare a `.tar.gz` and a `.zip` of the same release and confirm they have identical content without relying on filename or timestamp metadata. Computing these identifiers during a release could help with two use cases: ### Cross-format archive comparison Many projects release the same content as both `tar.gz` and `zip`. Today, voters have to trust that those are equivalent or unpack them and compare. With SWHID `dir` identifiers computed over the top-level directory inside each archive should match. ### Comparison between Git commit and source archive If ATR were to store the source repo URL and commit hash for a release in the future, it could compute the `dir` identifier of the tree that `git archive` would produce and compare it against the uploaded source archive. For most projects the two should match exactly, giving voters cryptographic confidence that the tarball corresponds to a specific commit. The comparison isn't just `git archive` output vs. Git tree SHA, since the two can slightly differ: - Files with `export-ignore` in `.gitattributes` are omitted from the archive. - Files with `text eol=crlf` have their line endings converted from LF to CRLF in the archive (e.g. `mvnw.cmd` in many Maven projects). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
