Hi! Leo Famulari <l...@famulari.name> skribis:
> I contacted GitHub about this issue a few weeks ago and they said that: > > 1) They do not guarantee bit-reproducibility of the snapshots they > generate automatically for each release tag, and they wish that people > would not rely on them as we do. However, since people *are* relying on > them, they are discussing this issue internally. Oh?! Then we’re in trouble. Perhaps we should start using ‘git-fetch’ more, with Software Heritage as a fallback content-addressed mirror? Though again the difficulty is that SWH uses Git’s method to hash directory contents, so we’d end up having to provide both a Nix hash and a Git hash in ‘origin’. :-/ > In the meantime, we can add this to the list of reasons that > reproducibility is difficult in the long term. Heh. Ludo’.
