Reproducible tarballs on Github?
mail at aparcar.org
Sat Oct 23 19:01:51 UTC 2021
> On 23. Oct 2021, at 08:55, Bernhard M. Wiedemann <bernhardout at lsmod.de> wrote:
>> On 23/10/2021 20.14, David A. Wheeler wrote:
>> A given version of tar should produce deterministic results. However, if
>> tar is updated, it’s not really
>> reasonable to expect that the result will be identical.
>> It’s reasonable for GitHub to change its default tar implementation. What would you suggest as an alternative?
Can’t we reach out to GitHub/Microsoft and request that they fix their implementation? As a source distribution it should be their priority to keep user trust high.
I remember they sent out a Microsoft person to one of the RB summits so interest must be there.
> In principle it is possible to define unit-tests that check that a set
> of given inputs will produce a certain set of outputs.
> Then when you change the implementation, it ensures that (at least
> these) outputs are still the same.
> The downside is that it can make changes harder (e.g. because you need
> to keep the old ordering of elements), but the upside is that you can be
> pretty sure that outputs are correct.
> One related thing I wondered: are there verification efforts that check
> that release tarballs correspond to a git commit?
> In some cases with automake/autoconf it will usually not be a perfect match.
> The situation is better for projects that gpg-signs their tarballs, but
> verification cannot hurt even in those cases.
More information about the rb-general