Hacker News new | ask | show | jobs
by Kluggy 812 days ago
It's absolutely because of inertia. Cutting a tarball is a very public indicator that the software is ready to be used. A git tag or branch doesn't have the clarity of "use this" as a release tarball does.

That said, this is absolutely going to be changing now. We obviously can't keep relying on tarballs anymore. We'll find a new normal that will work for a very long time until some other critical issue arises and the cycle repeats.
1 comments
kzrdude 812 days ago
We can use tarballs - they are useful as signed artifacts, but only if we verify that they are reproducible.
link
lupusreal 812 days ago
If you're going to download both the tarball and the got repo and verify the reproducibility of the tarball, then why bother with the tarball at all? You already have the got repo.
link
b112 812 days ago
A git repo can vanish overnight. Git is often used to snag source, but tarballs are still crafted after even then:

https://news.ycombinator.com/item?id=39903813

link
kijin 812 days ago
Git repos only vanish if they have no clones. For the purpose of accountability, the "official" repo is not more privileged than any other clone that retains the same history, and can be verifiably recreated from any clone if it is ever lost or tampered with. (Assuming SHA-1 isn't too broken, that is.)

For archival purposes, nothing prevents people from creating a tarball that contains the .git directory as well, which would preserve not only the current state of the project but its entire history.

link
b112 812 days ago
Git repos only vanish if they have no clones.

And? You're speaking probabilities, not certainties. It's not relevant in terms of archiving. You don't guess, you don't hope, you simply 100% ensure that 10 days, 19 years, or a century from now you can build the same thing.

I agree that adding "extra stuff" to a tarball isn't a bad idea, and in fact, many already do!

link
lupusreal 812 days ago
If you can archive the tarball, you can archive the git repos. If for some reason you can't, you can cut your own tarballs from the git repo and then you don't have to worry about them because you made them yourself.
link