Git archive generation meets Hyrum's law

Posted Feb 3, 2023 14:14 UTC (Fri) by agateau (subscriber, #57569)
In reply to: Git archive generation meets Hyrum's law by NYKevin
Parent article: Git archive generation meets Hyrum's law

Mmm, I just realized on-the-fly archives are available for *all* commits. I agree caching archives for those would be impractical.

Depending on them not ever changing was a bad idea.

Assuming the archives one can find in a GitHub releases would never change, on the other hand, sounds like a reasonable assumption. Those should be generated once. GitHub already lets you attach arbitrary files to a release, so an archive of the sources should not be a problem (he says without having any numbers). They could limit this to only creating archives for releases, not tags, to reduce the number of generated archives.

Git archive generation meets Hyrum's law

Posted Feb 3, 2023 14:38 UTC (Fri) by paulj (subscriber, #341) [Link]

Right, the issue is that random developers are configuring their build systems to download on-the-fly git-archives of arbitrary commits of projects. Rather than just doing a shallow clone of the git commit ID - which *IS* guaranteed to be stable, with cryptographic strength guarantees! (And many build systems, inc. CMake, etc., have modules to make it easy to specify build dependencies as git commits to checkout).

The people doing this are utterly clueless, and it's insanity to coddle them.