Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recognise tags pinned by their object hash instead of their name as secure #1

Closed
diabonas opened this issue May 29, 2022 · 2 comments
Closed

Recognise tags pinned by their object hash instead of their name as secure #1

diabonas opened this issue May 29, 2022 · 2 comments

Comments

@diabonas
Copy link

archlinux-inputs-fsck currently only recognises Git sources pinned by a commit hash as secure. However as outlined in a recent arch-dev-public mailing list post, pinning the SHA-1 hash of the tag object is as secure as pinning the commit ID:

_tag=1234567890123456789012345678901234567890 # git rev-parse "$tag_name"
source=("git+$url?signed#tag=$_tag")

Therefore is_commit_securely_pinned() should distinguish the case when the tag "name" is a 40-digit hex ID and return true in this case.
@kpcyrd
Copy link
Owner

kpcyrd commented May 30, 2022

Fixed in ada3c9e, thanks!

@kpcyrd kpcyrd closed this as completed May 30, 2022
@diabonas
Copy link
Author

Awesome, thank you very much for the quick fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kpcyrd @diabonas