Unreproducible tar files on go.googlesource.com
Hans-Christoph Steiner
hans at guardianproject.info
Tue Jul 18 20:55:58 UTC 2023
Vagrant Cascadian:
> On 2023-07-18, kpcyrd wrote:
>> while packaging govulncheck for Arch Linux I noticed a checksum mismatch
>> for a tar file I downloaded from go.googlesource.com.
> ...
>> https://go.googlesource.com/vuln/+archive/refs/tags/v1.0.0.tar.gz
>>
>> I downloaded the file 3 times and got a different sha256 every time, it
>> seems the tar file records the current time when downloading it.
>>
>> 1st: ddf7cfd295eef68ba284b6471b88dea8efb91b5a115cbead2a3303dce55db94f
>> 2nd: 4e9e72a8d19faf25a303d46af559471e8698321d131cec05f31419e2fc9ab43a
>> 3rd: 37d9a2b04e9d73effdfbe565012f47456be2360f9389ebd89a981ce27c8bf4ce
>>
>> I figured I'd share this here for documentation purpose.
>
> Wonder if there is anyone who could nudge them to fix that?
>
> FWIW, looks like guix uses git instead of tarballs for projects hosted
> on go.googlesource.com. Which gives some other benefits, such as
> archival at softwareheritage.org.
I filed an issue years ago against the Google software that runs
googlesource.com, and they said they weren't interested in fixing the changing
timestamps because that was not enough to guarantee that the tarball would
always be reproducible. I thought that was a lame excuse, since its an easy
fix. I would recommend digging up that issue and bringing it up again.
https://github.com/google/gitiles/issues/217
.hc
--
Signal: +13478504872
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://keys.openpgp.org/search?q=EE6620C7136B0D2C456C0A4DE9E28DEA00AA5556
More information about the rb-general
mailing list