On Mon, Mar 31, 2025 at 01:39:57PM +0200, Vitaly Zaitsev via devel wrote: > On 31/03/2025 12:53, Zbigniew Jędrzejewski-Szmek wrote: > > This is inspired by the discussion in "Reproducible Builds" mailing list, > > in particular [1]. > > But auto-generated Git archives are not reproducible. GitHub uses a dirty > hack: on the first download, it caches the tarball on their resource server, > and then sends it back on subsequent requests.
Alexander kindly provided a link to the github blog post that says that this is not true: they only cache the tarball temporarily and the way they produce the tarballs is stable. (FWIW, I checked this myself for systemd a few months ago. I downloaded all the archives for all the releases of systemd from github, and then produced the same archives using 'git archive' locally with the appropriate options. The hashes were the same.) Zbyszek -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
