Reproducible tarballs on Github?

Arthur Gautier baloo at
Sat Oct 23 15:02:18 UTC 2021

On Sat, Oct 23, 2021 at 9:52 AM Martin Monperrus
<martin.monperrus at> wrote:
> Dear all,
> FYI, Github's autogenerated release tarballs are not deterministic (see discussion on keybase, and Bitcoin-core release warning).
> Does anybody have good connections at Github to get this fixed?
> Best regards,

I believe this is one of the reasons the kernel releases only sign the
tar itself and not the compressed version (also makes it future-proof
as they can switch to a new compression algorithm).

The tar itself looks to be stable, NixOS checks for every asset of its
build and compares the hash of the extracted tar. As far as I know,
they seem to be stable.


More information about the rb-general mailing list