Reproducible tarballs on Github?
baloo at superbaloo.net
Sat Oct 23 19:23:53 UTC 2021
On Sat, Oct 23, 2021 at 6:14 PM David A. Wheeler <dwheeler at dwheeler.com> wrote:
> On Oct 23, 2021, at 1:51 PM, Keith Smiley <keithbsmiley at gmail.com> wrote:
> Here is an issue
> https://github.com/easybuilders/easybuild-easyconfigs/issues/5151 with a lot of other referenced issues, about the one time I remember this happening. Folks in the bazel community reference this issue a lot since the default behavior of folks is to use the generate tarball URL and pin those shas in their builds.
> On Sat, Oct 23, 2021 at 8:22 AM Arthur Gautier <baloo at superbaloo.net> wrote:
>> On Sat, Oct 23, 2021 at 9:52 AM Martin Monperrus
>> <martin.monperrus at gnieh.org> wrote:
>> > Dear all,
>> > FYI, Github's autogenerated release tarballs are not deterministic (see discussion on keybase, and Bitcoin-core release warning).
>> > Does anybody have good connections at Github to get this fixed?
> A build is deterministic if it produces the same results for a specific set of tool versions & platform.
> Tool changes eliminate that. You should expect, for example, that an updated compiler will generate different results.
> A given version of tar should produce deterministic results. However, if tar is updated, it’s not really
> reasonable to expect that the result will be identical.
> It’s reasonable for GitHub to change its default tar implementation. What would you suggest as an alternative?
> --- David A. Wheeler
I would expect Github to use the tar implementation of git-archive (or
libgit2). git-archive is specifically designed to be reproducible.
All I'm suggesting is to checksum the inflated version of the archive
and not the compressed one.
More information about the rb-general