weaning distributions off tarballs: extended verification of git tags

[Colin Walters <walters@verbum.org>]

Hi, 

TL;DR: Let's define a standard for embedding stronger checksums in tags and commit messages:
https://github.com/cgwalters/homegit/blob/master/bin/git-evtag

I think tarballs should go away as a source distribution mechanism in favor of pure git.  I won't go into too many details of the "why" here (hopefully most of you agree!) but that's the background.

Now, there are a few things that the classical tarball model provides:

- Version numbers compatible with dpkg/rpm/etc
  -> Do the same with your tag names, and use a well known scheme like "v$VERSION"
- The assumption that this source has been run through some tests
  -> Broken assumption, and regardless you want to rerun tests downstream
- Hosting providers typically offer a strong checksum over the entire source
  -> The topic of this post

The above strawman code allows embedding the SHA256(git archive | tar).  Now,
in order to make this work, the byte output of "git archive" must never change in the
future.  I'm not sure how valid an assumption this is.  Timestamps are set to the
commit timestamp, but I could imagine someone wanting to come along later
and tweak the output to be compatible with some variant of tar or something.

We could define the checksum to be over the stream of raw objects, sorted by their checksum,
and that way be independent of archiving format variations.

Is there agreement that something like this makes sense in the git core?  Does the
concept make sense?  Does anything like this exist today?  Other thoughts/objections?