This project has moved. For the latest updates, please go here.

discrepancy of git repositories: which is canonical?

Topics: Users Discussion
Mar 3, 2015 at 3:47 AM
I've been following VeraCrypt for a short time now (month or more), and being paranoid, I build from source. that's fine and I get success, but the git repositories on GitHub do not match those of CodePlex. I noticed the SHA discrepancy in the latest commit, even though the commit log shows the same author, text, and even date/time.

therefore, I'm wondering which I should be building from. it's not like I want to go deep into the git log and check to see which commit was different on which repository. it could be that they are both almost identical. "almost" is not close enough; paranoia is kinda required when dealing with security, and I've plenty of it.

so, long story short: where's the canonical repo?

bonus info: are there plans to consolidate? I would recommend GitHub for a git repository on a cross-platform project.
Coordinator
Mar 3, 2015 at 6:40 AM
Hi,

Thank you for your interest in VeraCrypt.

Sourceforge is the main git repository. Codeplex and Github are mirrors. I synchronize thz mirrors through manual patching every time Sourceforge git is updated. Automatic mirroring between Sourceforge, Codeplex and Github is not something easy to do.
All three repositories are the same and the differences you are seeing between Codeplex and Github are probably coming from file line ending: Codeplex forces files to have Windows line ending while Github accept files as they are. It is easy to write a script that would normalize all files line ending and you would see that all contents are identical at every stage.

I'm also paranoid and I use 3 different Git repositories to counter any external tampering while maintaining my own repository to validate them.

I don't understand the consolidation request. Can you please elaborate?

For me, Sourceforge, Codeplex or Github are all providing the same Git services and I tend to prefer Sourceforge for its way of handling binary releases which basically allow me to host any files in a standard hierarchical way.
Indeed, Github look'n'feel is popular among developers and that's why VeraCrypt is also present there expecting to see many contributions. Unfortunately, almost nothing has come out of it and most interesting feedback comes from Sourceforge and Codeplex users.
Mar 3, 2015 at 1:43 PM
wow, three repos. I did not expect the Sourceforge code. makes sense the way you explain it. if you prefer many repositories, that's cool. I'll use the Sourceforge for building.

myself, I look at it the other way around. but then I'm not the dev here, so it's whatever you like.

with regard to consolidation, I didn't think about the input from users; I merely thought "if he wants a central area, CodePlex seems Windows-specific in some ways". but that was before I knew you preferred multiple repos. I can definitely see the input at GitHub is less than anywhere else (five issues total, as far as I see).

thank you for the response. this clears up what I was wondering without a doubt.