Til 7z posts quarterly sources in archives. We'll that's a bit sketchy

yjftsjthsd-h · 2024-10-13T04:54:41 1728795281

What's sketchy? It's a less common model these days, but GNU traditionally did that.

indrora · 2024-10-13T06:46:00 1728801960

Same thing happens with Bash: The guy pukes out a new tarball or a new diff every few months if he feels like it.

yjftsjthsd-h · 2024-10-13T06:58:07 1728802687

And again: What's wrong with that?

_bin_ · 2024-10-13T07:46:20 1728805580

Keeping a clean, public vcs is a pain in the neck. If you're working on anything less than a large open-source project with many devs and random contributions, it's a pointless hassle. Can you tell me how that makes it any sketchier than leaving a public github?

abhinavk · 2024-10-13T08:06:40 1728806800

Public Github with CI means the binary was built unmodified from source. You can turn off issues/PR and push only release branches with squashed commits.

_bin_ · 2024-10-13T08:27:32 1728808052

Assuming you trust Github, of course. I think if someone is seriously worried code has been altered between source and maintainer-provided binary, his big concern will be the time it takes to audit the source code (which he also shouldn't trust). The build time will be inconsequential next to that.

pabs3 · 2024-10-14T03:30:33 1728876633

The Reproducible Builds project is working on trustworthy builds:

https://reproducible-builds.org/