re: Can you prove the code in the repository isn't altered? VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Commit signing would only tell the world the code actually comes from me. And the tarball is just a downloadable from Github right? The actual code...
 

You are correct. But I don't think there is a sure way of telling the users that what you are using is the exact copy of the code from a repo. Maybe package the app as a docker image and add the image ID on the page? Or, if you are using PHP, package it as a PHAR archive and add its checksum on the page. I'm not sure of the equivalent in other languages.

code of conduct - report abuse