New supply-chain security tool: backseat-signed
Larry Doolittle
larry at doolittle.boa.org
Wed Apr 3 04:15:07 UTC 2024
Friends -
On Wed, Apr 03, 2024 at 05:21:40AM +0300, Adrian Bunk wrote:
> It is documented that auto-generated Github tarballs for the same tag
> and with the same commit ID downloaded at different times might have
> different checksums.
I've run into this statement before. It's annoyingly true,
in part because it's typically false.
Can we document a standard workaround-recipe, where a script
grabs the tarball, decompresses it, and then rebuilds and compresses
the contents in a way that _is_ reproducible?
- Larry
More information about the rb-general
mailing list