[cfe-dev] RFC: Automated signing of release files
David Chisnall via cfe-dev
cfe-dev at lists.llvm.org
Fri Jan 15 03:55:58 PST 2021
On 14/01/2021 18:35, Tom Stellard wrote:
> But, we stopped relying on this, because we had a user report that the
> tarball format was not stable, so you weren't guaranteed to get the
> exact same bits each time you download it. I'm not sure if this same
> issue affects the tarballs accessed by using a git commit hash as well.
It does not, for anything identified by a hash or a stable tag (you can
break them modifying updating a tag, maybe LLVM moved the tags for
releases at some point?).
The FreeBSD ports infrastructure uses these for builds and stores a
SHA256 hash and size of the tarball that was available when the port was
created (and the timestamp when these were checked) in the distinfo file
that is used by the fetch step of the build. We would be unable to
build any of the packages that used GitHub sources if they changed
because the build system would detect that as tampering. A quick grep
over a somewhat old checkout of the ports tree tells me that there are
around 800 packages built from these tarballs. FreeBSD recommends that
port maintainers use the hash ID if there are any doubts that the
upstream project will keep the tag pointed at the same commit.
David
More information about the cfe-dev
mailing list