search

AGWA / git-crypt

Transparent file encryption in git
https://www.agwa.name/projects/git-crypt/
GNU General Public License v3.0
8.1k stars 472 forks source link

Is the `apt-get install` version of git-crypt official? #246

Open tolmasky opened 2 years ago

tolmasky commented 2 years ago

I don't see any mention of using apt-get to install git-crypt in the README, but it appears to be available on apt-get. Just want to know whether this is an official distribution channel provided by this project or if it should be avoided.

alerque commented 2 years ago

I assume you are using Ubuntu.

Ubuntu has had packaging for git-crypt in their universe repository since 16.04 (xenial). Note that this is downstream from Debian packaging which has had packages available since Debian 9 (stretch).

Whenever packages are available for your distro for anything you should probably consider using those first. In this case they are not official as far as being put out by this upstream project, but they are official as far as being managed by the distro packagers and release process. Unless you find an issue with them and need upstream builds for some reason you should always consider your distro's package manager first.

In this case the disadvantage is going to be tempo. Debian and Ubuntu have 0.6.0 and it may be some time before they get 0.7.0. If you need the latest version then you'll need to build your own from source or use of of the alternative package managers.

I don't think there are any major security issues with 0.6.0; the latest release just has some minor argument handling fixups.

AGWA commented 2 years ago

git-crypt author here. I maintain the Debian/Ubuntu git-crypt package, so yes it is "official" and OK to use, but note:

  1. In general you should not prefer distro packages over upstream builds. For example, the Alpine package for git-crypt is not maintained by this project and contains unofficial patches that introduce security vulnerabilities and break compatibility with other versions of git-crypt. Only the Debian/Ubuntu package is sanctioned.
  2. Even though the Debian/Ubuntu package is sanctioned by this project, it will almost always be an older version of git-crypt, because it is a long process to go from releasing a new version of git-crypt to having it included in a stable release of Debian/Ubuntu. So you may still want to consider using upstream builds.