Unreproducible tar files on go.googlesource.com

Vagrant Cascadian vagrant at reproducible-builds.org
Tue Jul 18 19:43:44 UTC 2023


On 2023-07-18, kpcyrd wrote:
> while packaging govulncheck for Arch Linux I noticed a checksum mismatch 
> for a tar file I downloaded from go.googlesource.com.
...
> https://go.googlesource.com/vuln/+archive/refs/tags/v1.0.0.tar.gz
>
> I downloaded the file 3 times and got a different sha256 every time, it 
> seems the tar file records the current time when downloading it.
>
> 1st: ddf7cfd295eef68ba284b6471b88dea8efb91b5a115cbead2a3303dce55db94f
> 2nd: 4e9e72a8d19faf25a303d46af559471e8698321d131cec05f31419e2fc9ab43a
> 3rd: 37d9a2b04e9d73effdfbe565012f47456be2360f9389ebd89a981ce27c8bf4ce
>
> I figured I'd share this here for documentation purpose.

Wonder if there is anyone who could nudge them to fix that?

FWIW, looks like guix uses git instead of tarballs for projects hosted
on go.googlesource.com. Which gives some other benefits, such as
archival at softwareheritage.org.


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230718/64e6b125/attachment.sig>


More information about the rb-general mailing list