Re: Changed source archive of StreamDevice release 2.8.22

[Michael Davidsaver via Tech-talk <tech-talk@aps.anl.gov>]

On 11/24/22 07:38, NICOLE Remi via Tech-talk wrote:
> But it seems weird to me that GitHub "reuploaded" the tarball, despite
> GitHub saying the release was made in 2021-11-11.
>
> It also feels weird that a source tarball of a fixed tagged version is
> not itself "fixed". This, to me, feels like a security issue.
imo. concerns of this sort are a good reason to avoid relying on github.com
specific behavior like the automatic .tar/.zip file creation.

With epics-base, and my own projects, I'm trying to use PGP signed tags.
Which can be verify independently of github.com (or any forge site).

eg.

> $ git clone --depth 1 --branch 1.0.1 https://github.com/mdavidsaver/pvxs.git
> ...
> $ cd pvxs
> $ git tag -v 1.0.1
> object 6ee82fac6533d6551b18aa489cb263adc1333018
> type commit
> tag 1.0.1
> tagger Michael Davidsaver <mdavidsaver@gmail.com> 1665862720 -0700
>
> 1.0.1
> gpg: Signature made Sat 15 Oct 2022 12:38:40 PM PDT
> gpg:                using RSA key 63245DAE9C6E10DBB4E923AB9401E6CB3D7F18EA
> gpg:                issuer "mdavidsaver@gmail.com"
> gpg: Good signature from "Michael Davidsaver <mdavidsaver@gmail.com>" [ultimate]
> gpg:                 aka "Michael Davidsaver <mdavidsaver@ospreydcs.com>" [ultimate]


fyi. my primary key is 5C159E669D69E2D4C4E74E540C8E1C8347330CFB

https://keys.openpgp.org/vks/v1/by-fingerprint/5C159E669D69E2D4C4E74E540C8E1C8347330CFB

Of course, with current state of the PGP key server system, managing keys
is even more of a challenge than previously...

Attachment: OpenPGP_signature
Description: OpenPGP digital signature