Experimental Physics and
Industrial Control System

Michael Davidsaver via Tech-talk <tech-talk at aps.anl.gov> · Fri, 25 Nov 2022 09:17:57 -0800

On 11/24/22 07:38, NICOLE Remi via Tech-talk wrote:

But it seems weird to me that GitHub "reuploaded" the tarball, despite
GitHub saying the release was made in 2021-11-11.

It also feels weird that a source tarball of a fixed tagged version is
not itself "fixed". This, to me, feels like a security issue.

imo. concerns of this sort are a good reason to avoid relying on github.com
specific behavior like the automatic .tar/.zip file creation.

With epics-base, and my own projects, I'm trying to use PGP signed tags.
Which can be verify independently of github.com (or any forge site).

eg.

$ git clone --depth 1 --branch 1.0.1 https://github.com/mdavidsaver/pvxs.git
...
$ cd pvxs
$ git tag -v 1.0.1
object 6ee82fac6533d6551b18aa489cb263adc1333018
type commit
tag 1.0.1
tagger Michael Davidsaver <mdavidsaver at gmail.com> 1665862720 -0700

1.0.1
gpg: Signature made Sat 15 Oct 2022 12:38:40 PM PDT
gpg:                using RSA key 63245DAE9C6E10DBB4E923AB9401E6CB3D7F18EA
gpg:                issuer "mdavidsaver at gmail.com"
gpg: Good signature from "Michael Davidsaver <mdavidsaver at gmail.com>" [ultimate]
gpg:                 aka "Michael Davidsaver <mdavidsaver at ospreydcs.com>" [ultimate]

fyi. my primary key is 5C159E669D69E2D4C4E74E540C8E1C8347330CFB

https://keys.openpgp.org/vks/v1/by-fingerprint/5C159E669D69E2D4C4E74E540C8E1C8347330CFB

Of course, with current state of the PGP key server system, managing keys
is even more of a challenge than previously...

OpenPGP_signature

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System