On Wed, Jun 18, 2014 at 4:16 PM, Lamar Owen <lo...@pari.edu> wrote: > So, somewhat paradoxically, I would have a greater confidence in source from > git than source from a signed source RPM, again due to git's design. Yeah, > I know, it's not what we're used to, and there is a bit of information that > a package.src.rpm has that the git repo won't have, but it's possible to > produce binary compatibility without that bit of info. It may seem to be > more work, but time will tell.
The difficulty is one I encounter daily. What is checked out from a git repo today, and build with, need have no resemblance to what is in the git repo tomorrow, or yesterday, especially if you are pulling from the "master" branch. And relying on the ".spec file" or the last change in the .spec file need not reflect the other changes that were done after the .spec file, but merged after the fact or from another code branch. This is what GPG signed "tags", with version numbers, are very useful for.
