also sprach Paul Hedderly <p...@mjr.org> [2009.05.26.2128 +0200]: > There is nothing to stop the build daemon creating a "canonical > tar". But the issue you are really pointing to is that "tags" can > change....
In theory, though once published, changing a tag is highly discouraged, but not impossible. > so we should only use the _SHA-1 of a commit_ since that cannot > (reasonably) change... and if is buildable, then within the same > scope that a tar bundle would be buildable on a different > machine/setup then the same commit would be similarly buildable > - in fact - you get more of a guarruntee of getting exactly the > same thing this way - tar files can be modified... At some point, with tarballs or tags, signatures come into the picture. The signing party can be held accountable for subverting the process. -- .''`. martin f. krafft <madd...@d.o> Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduck http://vcs-pkg.org `- Debian - when you have better things to do than fixing systems it is better to have loved a short man than never to have loved a tall.
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
