Compare git-tagged versions to Release assets on GH

[hlein]

Compare & explore the differences between git-tagged versions (retrievable as generated archives from e.g. GitHub) and Release assets. The "Asset" tarball for a given version can differ from what was tagged for that release, for what are perceived as good reasons.

That discrepancy was what allowed xz-utils Release assets to have parts of the backdoor embedded that did not match what was in the Git repo.

So: how common is that? Can we bring some extra scrutiny to the differences?

[thesamesam]

For a first pass, I think we can do something like:

• Check if github.com is in SRC_URI (in ebuilds) or whatever the packaging download URL is
• Query github's API for assets for a tag (they're 1:1), the gh tool may be able to do this too
• If any exist, see if there's one with an obvious name (like ${P}.tar.xz/.gz etc), or could even grab them all and look for e.g. configure
• Compare

We would need to try extend this to at least gitlab and then also maybe figure out a solution for general dist-tarballs where we know of a repo but a self-hosted tarball too, but that last part feels like a stretch goal really (fairly uncommon nowadays).