Le 29/05/2022 à 14:40, kpcyrd a écrit :
ohai!
I blogged about a new tool that can be used to verify a tarball from a
signed git tag, while still pinning the sourcecode with >= sha256sum:
https://vulns.xyz/2022/05/auth-tarball-from-git/
What is the advantage over properly pinning the tag using its blob value
(`git rev-parse v${pkgver}`, see e.g.
https://github.com/archlinux/svntogit-community/blob/packages/gitea/trunk/PKGBUILD#L25=)?
This is how we solved tag pinning for years, and is much simpler to do
in the PKGBUILD.
Regards,
Bruno/Archange
