←back to thread

Immutable releases are now generally available on GitHub

(github.blog)
151 points fastest963 | 2 comments | 31 Oct 25 13:59 UTC | HN request time: 0.001s | source
Show context
hoistbypetard ◴[31 Oct 25 14:45 UTC] No.45772532[source]
My instant reaction was: "Wait?! They weren't immutable before?"

I'm glad they're doing this, and it's an unpleasant surprise that they didn't already work this way. I don't understand why they allow mutable releases.

replies(6): >>45772557 #>>45772741 #>>45772761 #>>45773634 #>>45773953 #>>45774010 #
johnisgood ◴[31 Oct 25 14:47 UTC] No.45772557[source]
Yeah, how did it work before that it was not immutable?!

> With immutable releases, assets and tags are protected from tampering after publication

I really, really wonder how it worked before. Can anyone explain?

replies(3): >>45772706 #>>45772734 #>>45773693 #
1. a022311 ◴[31 Oct 25 14:59 UTC] No.45772706[source]
"Before", it was trivial to move or delete tags and edit release assets. The only stable identifier available was the commit hash.

Immutable releases now enable permanently locking tags and releases to make supply chain attacks harder to affect users who are using release assets from before an attack occurred.

The previous behavior is still available by the way, I'm not sure what you meant by "before".

replies(1): >>45773461 #
2. johnisgood ◴[31 Oct 25 15:52 UTC] No.45773461[source]
> The previous behavior is still available by the way, I'm not sure what you meant by "before".

I know, I was just wondering how it worked that needed this improvement.