[Rpm-maint] [rpm-software-management/rpm] Pristine and verifiable source releases (Issue #3565)
Panu Matilainen
notifications at github.com
Thu Feb 13 05:15:16 UTC 2025
> Note that last I heard, git makes no promises that the output of git archive will forever be reproducible either, although I don't think it has changed in practice. IIRC github changed their archive generation a while ago, then backed off from it.
Well, I said as much in the description:
We want our source releases to be bit per bit identical to what you get straight out of git, with zero build steps to generate content, defined by a git tag. We still want a stable archive of that content generated and hosted on rpm.org because, GH archive creation could change any day and render checksums unverifiable.
The bit-per-bit output of git-archive may change and make the exact *archive* non-reproducible at an unknown point in the future, but the actual *contents* will still match bit-per-bit, and that's what ultimately matters. And we don't have that now, because the source releases contain some amount of *built* data.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3565#issuecomment-2655498635
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3565/2655498635 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250212/2e7922f4/attachment.htm>
More information about the Rpm-maint
mailing list