On 19 July 2015 at 05:43, Gaetan Bisson <bis...@archlinux.org> wrote: > [2015-07-18 22:32:47 -0400] Dave Reisner: >> Tags are more explicitly published by upstreams than commit hashes. I'm >> not sure I understand the benefit of switching. Why is it preferrable to >> use the "value" rather than the "pointer"? What makes it better? > > The commit hash is a checksum that ensures the integrity of the > particular source tree you want. The tag, however, provides no > information to verify the integrity. > > In other words, if someone hijacks your DNS resolver, github.com, or any > other part of your connection to the git server, they can feed you > malicious data and #tag=$version will never notice, while #commit=hash > will. > > -- > Gaetan
git tags can and should be pgp-signed, especially if the upstream is relying purely on git for releases. Is any package not covered by that? J. Leclanche