[Rpm-maint] [rpm-software-management/rpm] Pristine and verifiable source releases (Issue #3565)
Michal Domonkos
notifications at github.com
Thu Feb 13 10:44:05 UTC 2025
> I'm getting the same checksum on multiple downloads of the same tarball here
Having slept on it, I realized this doesn't mean anything; even if GitHub generated the archive on-the-fly for every request, `git archive` (which it reportedly uses underneath) would still produce the same bit-by-bit archive every time, of course.
> not sure if we could rely on it never changing (for the given release)
According to this [LWN article](https://lwn.net/Articles/921787/) (and the associated GitHub [blog post](https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/)), this is indeed *not* guaranteed:
> GitHub doesn’t guarantee the stability of checksums for automatically generated archives. These are marked with the words “Source code (zip)” and “Source code (tar.gz)” on the Releases tab. If you need to rely on a consistent checksum, you may upload archives directly to GitHub Releases. These are guaranteed not to change.
Thus, we just need to continue producing our own tarballs, even if we start doing GitHub releases.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3565#issuecomment-2656196205
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3565/2656196205 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250213/ad20f147/attachment.htm>
More information about the Rpm-maint
mailing list