dave2wave commented on issue #1154: URL: https://github.com/apache/tooling-trusted-releases/issues/1154#issuecomment-4230319158
@sbp what do you think of: > The key primitive is the dir identifier: a Merkle hash over a directory tree, computed the same way Git computes a tree object's SHA-1. Because the algorithm is format-agnostic, you can compare a .tar.gz and a .zip of the same release and confirm they have identical content without relying on filename or timestamp metadata. Interesting algorithm ... > Computing these identifiers during a release could help with two use cases: > Cross-format archive comparison > Many projects release the same content as both tar.gz and zip. Today, voters have to trust that those are equivalent or unpack them and compare. With SWHID dir identifiers computed over the top-level directory inside each archive should match. As we know there are more archive formats than `.tar.gz` and `.zip` like `.tgz` and `.bz2`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
