Message366528
I don't like utilizing the dynamic archive links like https://github.com/python/cpython-source-deps/archive/libffi.zip (even if you pin the commit) because GitHub does not guarantee the file content is deterministic over time. I perform SHA-256 validation of all dependencies I download from the Internet. And if I rely on the /archive/ URLs, all it takes is GitHub updating some library that subtly changes the tar/zip structure and my hashes are invalidated.
Release artifacts are immutable and don't have this problem.
As it stands, I will likely `git clone` and check out the commit I need. Although I would prefer a release artifact. |
|
Date |
User |
Action |
Args |
2020-04-15 16:16:59 | indygreg | set | recipients:
+ indygreg, paul.moore, tim.golden, zach.ware, steve.dower |
2020-04-15 16:16:59 | indygreg | set | messageid: <1586967419.15.0.969294104346.issue40293@roundup.psfhosted.org> |
2020-04-15 16:16:59 | indygreg | link | issue40293 messages |
2020-04-15 16:16:58 | indygreg | create | |
|