dave2wave commented on issue #1154:
URL:
https://github.com/apache/tooling-trusted-releases/issues/1154#issuecomment-4230310504
> Comparison between Git commit and source archive
We already have a check that assures that the source archive is a subset of
the git archive checked out at the sha.
> If ATR were to store the source repo URL and commit hash for a release in
the future, it could compute the dir identifier of the tree that git archive
would produce and compare it against the uploaded source archive. For most
projects the two should match exactly, giving voters cryptographic confidence
that the tarball corresponds to a specific commit.
We have this in Project / Release policy, and will be adding SHA as well.
> The comparison isn't just git archive output vs. Git tree SHA, since the
two can slightly differ:
> Files with export-ignore in .gitattributes are omitted from the archive.
> Files with text eol=crlf have their line endings converted from LF to CRLF
in the archive (e.g. mvnw.cmd in many Maven projects).
We may need this improvement.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
