search

M4SS-Code / cargo-goggles

Verify that registry crates in your Cargo.lock are reproducible from the git repository
https://crates.io/crates/cargo-goggles
Apache License 2.0
36 stars 2 forks source link

Test that commit is reachable from the default branch #21

Open link2xt opened 3 months ago

link2xt commented 3 months ago

It is easy to create commit somewhere off the main branch where nobody reviews it. Some projects keep non-main branch as default or maintain multiple stable branches that contain backports and are never merged into main, but at least a warning would be nice.

I also wonder if we can do something to prevent (re)moving tags later. If we check published crate today and tag is in the right place, it can still be moved later. Can we do something to prevent it? I have looked a bit into annotated tags, but it does not seem to be possible to merge the tag into branch, i.e. make it impossible to remove the tag without force-pushing, right?

I can see hash of annotated tags in .git/packed-refs, and it is different from the hash of the commit annotated tag points to, but attempting to merge this into main branch results in merging the commit, git says there is nothing to do, "already merged".

In mercurial it is different, tags are stored in .hgtags file that is actually commited to the branch. This means tags look different depending on the commit checked out, but they are permanently recorded in the history. Is there anything similar for git? It seems to be at least possible to extend git this way, nothing prevents writing .gittags into the repo.

VorpalBlade commented 3 months ago

Some projects keep non-main branch as default or maintain multiple stable branches that contain backports and are never merged into main, but at least a warning would be nice.

You could also check if the commit in question is reachable from any tag at all. If it isn't that might mean the release was made from a PR that later got rebased. Regardless it is quite suspicious.

I also wonder if we can do something to prevent (re)moving tags later. If we check published crate today and tag is in the right place, it can still be moved later. Can we do something to prevent it? I have looked a bit into annotated tags, but it does not seem to be possible to merge the tag into branch, i.e. make it impossible to remove the tag without force-pushing, right?

I believe annotated tags can still be moved. Those tags can be GPG signed though unlike normal tags (which is nice, but doesn't help cargo-goggles much). As gittags is not a standard (it would be one we make up) it might be a hard sell, and would be impossible to enforce.