in reply to daniel:// stenberg://

mastodon - Link to source

daniel:// stenberg://

The #curl release on GitHub is now marked as "immutable" and there's even something they call "release attestation" there now.

Just remember that the curl canonical releases are the signed tarballs uploaded by me. Reproducible, so you can verify them at will to not contain bad things. Signed to prove I did them.

Made with love and care, I promise.

#curl
in reply to daniel:// stenberg://

mastodon - Link to source

Zach Steindler

@vbernat I work next to the team at GitHub that implemented immutable releases. It's off by default, but if someone else turned it on and you don't want it, you can disable it in your repository settings under General > Releases.

In an ideal world, security capabilities on GitHub would work equally well for enterprise users and open source maintainers. Immutable releases does skew more towards enterprise, but I'm open to feedback on how to make it better for open source as well.

@Vincent Bernat
in reply to daniel:// stenberg://

mastodon - Link to source

Zach Steindler

@vbernat

> Our canonical releases are the tarballs we make and upload and the ones GitHub generates (and that can't be opted out from) are more of a disturbance/annoyance that trick users to download the wrong files.

100% agree there. The automatic source archive is a legacy feature of releases that the current team inherited. It is on the list of things to clean up, although of course there are other users who rely on that feature as well.

@Vincent Bernat