undefined | Better HN

0 pointsArchOversight3y ago0 comments

A wouldn't be an issue since you are checking out a git tag.

B would just be a normal git checkout, which already validates that all the objects are reachable and git tags (and commits for that matter) can be signed, and since the sha1 hash is signed as well it validates that the entire tree of commits has not been tampered with. So as long you trust git to not lie about what it is writing to disk, you have a valid checkout of that tag.

And if you do expect it to lie, why do you expect tar to not lie about what it is unpacking?

0 comments

vlovich1233y ago

I know GitHub had asked that clones from package manager use shallow clones. It wouldn't surprise me if downloading tarballs is similarly beneficial to GitHub because it's trivially cacheable in a CDN and thus lowers their operational footprint to support package managers.

j / k navigate · click thread line to collapse

0 pointsArchOversight3y ago0 comments

A wouldn't be an issue since you are checking out a git tag.

And if you do expect it to lie, why do you expect tar to not lie about what it is unpacking?

0 comments

vlovich1233y ago

j / k navigate · click thread line to collapse