On Wed, Aug 21, 2019 at 09:12:14PM +0200, Piotr Tworek wrote:
>....
> Fortunately for us upstream also tags releases
> in git so we can use those tags to fetch correct version of the sources.
>...
There are various reasons why this is not a good idea.
For example upstream might move the tag (yes, this does happen...),
or someone might do a man-in-the-middle attack on a user building
this package.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--
_______________________________________________
Openembedded-devel mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
