Change link for MacOS Binary Installer to support Apple Silicon about git-scm.com HOT 9 OPEN

I don't have a strong opinion on this new project source. In a sense, pointing to work that exists is mostly better than not, because people can choose to use it or not.

But I do think we don't have a very coherent view on software supply chain security. Linking from the site indicates at least some endorsement. Not that I think @coderforlife is trying to upload malicious packages or anything, but we could end up in a situation where, say, his laptop gets owned, a trojan version is uploaded to his GitHub repo, and then our link causes it to get distributed widely.

I'm not sure what linking from our site implies to people about the security practices of those binaries. But it feels like we're being put on the hook for those practices. And again, I'm not questioning @coderforlife's practices in particular; this is something the community probably should have figured out long ago and didn't (including for things like the existing links to @timcharper's binaries).

So I dunno. It seems like maybe something that should get input from the broader community on the mailing list. I'll send a note there.

from git-scm.com.

thanks for reporting the issue @tongfa

indeed, the original repo seems a bit abandoned ATM (PRs without any feedback for 7 months timcharper/git_osx_installer#190)

but the project you mentioned does not seem to be releasing all versions frequently (only 2 releases under https://github.com/MoravianUniversity/git_osx_installer/releases), so I'm not totally comfortable referencing that project yet...

from git-scm.com.

I am running that other repo and only recently started. My plan has been to have 2 releases a year: one in August and one in January. This lines up with an update just before each semester of school when we release new setups for our introductory course. This seems like it will be just behind by a few minor versions at each release. I can also release on-demand as it only takes a few minutes (I just posed 2.40). Is there a way I can "watch" for new releases? git doesn't make official releases through GitHub so I can't subscribe there.

from git-scm.com.

Note: I (and many at the school) have been using this version on Apple Silicon and Apple Intel and the only known issues are with the GUI due to Tk library issues.

Currently, the installer is unsigned, but over the summer I plan on setting up signing so they can be installed with even fewer issues.

from git-scm.com.

thanks for jumping in @coderforlife !

on our side we have a scheduled job to check for new releases. see https://github.com/git/git-scm.com/blob/main/lib/tasks/downloads.rake

we also have a scheduled job to check new git versions and import man pages at https://github.com/git/git-scm.com/blob/main/lib/tasks/index.rake

does this help?

@peff / @jnavila any thoughts against using this new project as source for mac versions given this info?

from git-scm.com.

from git-scm.com.

Could GitHub actions with MacOS runners be used to build in a public manner that gives us more comfort?

I think the MacOS runners are free for public repos, but I'm not 100% sure on that.

from git-scm.com.

I think the MacOS runners are free for public repos, but I'm not 100% sure on that.

They aren't. But there is a monthly time budget of 2 000 minutes (which would be 200 macOS minutes) included with free accounts and organizations.

from git-scm.com.

The package only takes <5 minutes to build, but it sounds like that is 50 out of the 2000 minutes, which may be manageable.

from git-scm.com.