Reproducible tarballs on Github?

Keith Smiley keithbsmiley at
Sat Oct 23 17:51:50 UTC 2021

Here is an issue with a
lot of other referenced issues, about the one time I remember this
happening. Folks in the bazel community reference this issue a lot since
the default behavior of folks is to use the generate tarball URL and pin
those shas in their builds.

On Sat, Oct 23, 2021 at 8:22 AM Arthur Gautier <baloo at> wrote:

> On Sat, Oct 23, 2021 at 9:52 AM Martin Monperrus
> <martin.monperrus at> wrote:
> >
> > Dear all,
> >
> > FYI, Github's autogenerated release tarballs are not deterministic (see
> discussion on keybase, and Bitcoin-core release warning).
> >
> > Does anybody have good connections at Github to get this fixed?
> >
> > Best regards,
> >
> I believe this is one of the reasons the kernel releases only sign the
> tar itself and not the compressed version (also makes it future-proof
> as they can switch to a new compression algorithm).
> The tar itself looks to be stable, NixOS checks for every asset of its
> build and compares the hash of the extracted tar. As far as I know,
> they seem to be stable.
> Best,
Keith Smiley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the rb-general mailing list