Reproducible tarballs on Github?
David A. Wheeler
dwheeler at dwheeler.com
Sat Oct 23 18:14:20 UTC 2021
> On Oct 23, 2021, at 1:51 PM, Keith Smiley <keithbsmiley at gmail.com> wrote:
>
> Here is an issue
> https://github.com/easybuilders/easybuild-easyconfigs/issues/5151 <https://github.com/easybuilders/easybuild-easyconfigs/issues/5151> with a lot of other referenced issues, about the one time I remember this happening. Folks in the bazel community reference this issue a lot since the default behavior of folks is to use the generate tarball URL and pin those shas in their builds.
>
> On Sat, Oct 23, 2021 at 8:22 AM Arthur Gautier <baloo at superbaloo.net <mailto:baloo at superbaloo.net>> wrote:
> On Sat, Oct 23, 2021 at 9:52 AM Martin Monperrus
> <martin.monperrus at gnieh.org <mailto:martin.monperrus at gnieh.org>> wrote:
> >
> > Dear all,
> >
> > FYI, Github's autogenerated release tarballs are not deterministic (see discussion on keybase, and Bitcoin-core release warning).
> >
> > Does anybody have good connections at Github to get this fixed?
A build is deterministic if it produces the same results for a specific set of tool versions & platform.
Tool changes eliminate that. You should expect, for example, that an updated compiler will generate different results.
A given version of tar should produce deterministic results. However, if tar is updated, it’s not really
reasonable to expect that the result will be identical.
It’s reasonable for GitHub to change its default tar implementation. What would you suggest as an alternative?
--- David A. Wheeler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20211023/58f5b2c3/attachment.htm>
More information about the rb-general
mailing list