Reproducible tarballs on Github?

Bernhard M. Wiedemann bernhardout at lsmod.de
Sat Oct 23 18:55:07 UTC 2021



On 23/10/2021 20.14, David A. Wheeler wrote:
> 
> A given version of tar should produce deterministic results. However, if
> tar is updated, it’s not really
> reasonable to expect that the result will be identical.

> It’s reasonable for GitHub to change its default tar implementation. What would you suggest as an alternative?

In principle it is possible to define unit-tests that check that a set
of given inputs will produce a certain set of outputs.
Then when you change the implementation, it ensures that (at least
these) outputs are still the same.
The downside is that it can make changes harder (e.g. because you need
to keep the old ordering of elements), but the upside is that you can be
pretty sure that outputs are correct.


One related thing I wondered: are there verification efforts that check
that release tarballs correspond to a git commit?
In some cases with automake/autoconf it will usually not be a perfect match.
The situation is better for projects that gpg-signs their tarballs, but
verification cannot hurt even in those cases.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20211023/b9040401/attachment.sig>


More information about the rb-general mailing list