[cfe-dev] RFC: Automated signing of release files

David Chisnall via cfe-dev cfe-dev at lists.llvm.org
Fri Jan 15 03:55:58 PST 2021


On 14/01/2021 18:35, Tom Stellard wrote:
> But, we stopped relying on this, because we had a user report that the 
> tarball format was not stable, so you weren't guaranteed to get the 
> exact same bits each time you download it.  I'm not sure if this same 
> issue affects the tarballs accessed by using a git commit hash as well.

It does not, for anything identified by a hash or a stable tag (you can 
break them modifying updating a tag, maybe LLVM moved the tags for 
releases at some point?).

The FreeBSD ports infrastructure uses these for builds and stores a 
SHA256 hash and size of the tarball that was available when the port was 
created (and the timestamp when these were checked) in the distinfo file 
that is used by the fetch step of the build.  We would be unable to 
build any of the packages that used GitHub sources if they changed 
because the build system would detect that as tampering.  A quick grep 
over a somewhat old checkout of the ports tree tells me that there are 
around 800 packages built from these tarballs.  FreeBSD recommends that 
port maintainers use the hash ID if there are any doubts that the 
upstream project will keep the tag pointed at the same commit.

David



More information about the cfe-dev mailing list