Konstantin Ryabitsev <konstantin@xxxxxxxxxxxxxxxxxxx> writes: > On Sun, Feb 06, 2022 at 12:02:34PM -0800, Junio C Hamano wrote: >> Philip Oakley <philipoakley@iee.email> writes: >> >> > I think part of Todd's question was how the tag and uncompressed archive >> > 'checksums' (e.g. hashes) relate to each other and where those >> > guarantees come from. >> >> There is no such linkage, and there are no guarantees. The trust >> you may or may not have on the PGP key that signs the tag and the >> checksums of the tarball is the only source of such assurance. >> >> More importantly, I do not think there can be any such linkage >> between the Git tree and release tarball: > > Hmm... I've actually considered writing a tool that would verify whether a > tarball corresponds to a signed tag/commit. It should be entirely possible, > no? I was saying "I have this git commit (or tree) object name. Compute the hash for a .tar archive that would contain the contents of that tree." has no unique answer. You are solving a different problem: "I have this tar archive; what git tree object would I get if I extract this archive to an empty directory and said 'git add . && git write-tree'?". I agree that one is computable. Of course, even that reverse problem will break once we consider the release tarball generation procedure where we _add_ some generated files that are not in the Git tree, for builder's convenience.
