Comment 4 for bug 1687078

Whereas branches are very obviously intended for a "latest" pull without any further verification, it's important to note about git tags:

They can be edited.

This of course will not guarantee reproducible builds, for whatever reason they would be idealized.

However, for malicious purposes: If you tag something "v1.2.3" and then have it built and released with some backdoor, it's easy to cover up the tracks by force-pushing and overwriting the tag.

Therefore, as I understand it, git commit hashes are the safer alternative. They cannot be changed - they can be deleted of course, but not changed.