New supply-chain security tool: backseat-signed

Larry Doolittle larry at
Wed Apr 3 04:15:07 UTC 2024

Friends -

On Wed, Apr 03, 2024 at 05:21:40AM +0300, Adrian Bunk wrote:
> It is documented that auto-generated Github tarballs for the same tag 
> and with the same commit ID downloaded at different times might have 
> different checksums.

I've run into this statement before.  It's annoyingly true,
in part because it's typically false.

Can we document a standard workaround-recipe, where a script
grabs the tarball, decompresses it, and then rebuilds and compresses
the contents in a way that _is_ reproducible?

  - Larry

More information about the rb-general mailing list