[Rpm-maint] [rpm-software-management/rpm] Pristine and verifiable source releases (Issue #3565)
Colin Walters
notifications at github.com
Wed Feb 12 20:24:31 UTC 2025
Note that last I heard, git makes no promises that the output of `git archive` will forever be reproducible either, although I don't think it has changed in practice. IIRC github changed their archive generation a while ago, then backed off from it.
But I did create https://github.com/cgwalters/git-evtag/ which is partly to address some of this problem domain from the other direction - ensuring that `git tag` has the same security properties as a tarball.
> hosted on rpm.org
Sure, why not, though of course github releases support attached artifacts, and for e.g. bootc we generate a `git archive` as an artifact (alongside a Rust vendor snapshot) attached to the github "release", so one doesn't need to host out of band to have 100% fixed tarballs on github.
(I would still say though that IMO, distributions like Fedora should encourage fetching directly from git and not use tarballs at all...which is something that RPM is somewhat in a position to help encourage, but that's a bigger discussion...)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3565#issuecomment-2654764696
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3565/2654764696 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250212/6c0eefc8/attachment.htm>
More information about the Rpm-maint
mailing list