Reproducible tarballs on Github?
Arthur Gautier
baloo at superbaloo.net
Sat Oct 23 15:02:18 UTC 2021
On Sat, Oct 23, 2021 at 9:52 AM Martin Monperrus
<martin.monperrus at gnieh.org> wrote:
>
> Dear all,
>
> FYI, Github's autogenerated release tarballs are not deterministic (see discussion on keybase, and Bitcoin-core release warning).
>
> Does anybody have good connections at Github to get this fixed?
>
> Best regards,
>
I believe this is one of the reasons the kernel releases only sign the
tar itself and not the compressed version (also makes it future-proof
as they can switch to a new compression algorithm).
The tar itself looks to be stable, NixOS checks for every asset of its
build and compares the hash of the extracted tar. As far as I know,
they seem to be stable.
Best,
More information about the rb-general
mailing list