[issue40293] cpython-source-deps project missing release for libffi commits
Gregory Szorc
report at bugs.python.org
Wed Apr 15 12:16:59 EDT 2020
Gregory Szorc <gregory.szorc at gmail.com> added the comment:
I don't like utilizing the dynamic archive links like https://github.com/python/cpython-source-deps/archive/libffi.zip (even if you pin the commit) because GitHub does not guarantee the file content is deterministic over time. I perform SHA-256 validation of all dependencies I download from the Internet. And if I rely on the /archive/ URLs, all it takes is GitHub updating some library that subtly changes the tar/zip structure and my hashes are invalidated.
Release artifacts are immutable and don't have this problem.
As it stands, I will likely `git clone` and check out the commit I need. Although I would prefer a release artifact.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40293>
_______________________________________
More information about the Python-bugs-list
mailing list