The tree-id of a git commit is effectively a checksum of all files. So you can ask packagers to pull a specific commit and verify either commit-id or tree-id. No extra verification step needed.
Sune Vuorela <nos...@vuorela.dk> 于 2024年4月4日周四 17:48写道: > On 2024-04-03, Albert Vaca Cintora <albertv...@gmail.com> wrote: > > What's the advantage of providing tarballs? > > I do think there is an advantage in being able to verify that the soure > tarball is the same across distributions. Using a checksum on the > tarball is an easy way of doing it. Different git invocations for git > archive, different tar options and so on can create different checksums > for the same content. > > I do also think it is nice if we get someone else to verify that the > tarball we ship actually matches the tag. I think some people in > distributions have already started looking into verifying that. > > Also, git tags can be moved. > > /Sune > >
