Reproducible tarballs on Github?

Keith Smiley keithbsmiley at gmail.com
Sat Oct 23 17:51:50 UTC 2021


Here is an issue
https://github.com/easybuilders/easybuild-easyconfigs/issues/5151 with a
lot of other referenced issues, about the one time I remember this
happening. Folks in the bazel community reference this issue a lot since
the default behavior of folks is to use the generate tarball URL and pin
those shas in their builds.

On Sat, Oct 23, 2021 at 8:22 AM Arthur Gautier <baloo at superbaloo.net> wrote:

> On Sat, Oct 23, 2021 at 9:52 AM Martin Monperrus
> <martin.monperrus at gnieh.org> wrote:
> >
> > Dear all,
> >
> > FYI, Github's autogenerated release tarballs are not deterministic (see
> discussion on keybase, and Bitcoin-core release warning).
> >
> > Does anybody have good connections at Github to get this fixed?
> >
> > Best regards,
> >
>
> I believe this is one of the reasons the kernel releases only sign the
> tar itself and not the compressed version (also makes it future-proof
> as they can switch to a new compression algorithm).
>
> The tar itself looks to be stable, NixOS checks for every asset of its
> build and compares the hash of the extracted tar. As far as I know,
> they seem to be stable.
>
> Best,
>
-- 
--
Keith Smiley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20211023/3b9087e4/attachment.htm>


More information about the rb-general mailing list