Note that last I heard, git makes no promises that the output of `git archive`
will forever be reproducible either, although I don't think it has changed in
practice. IIRC github changed their archive generation a while ago, then backed
off from it.
But I did create https://github.com/cgwalters/git-evtag/ which is partly to
address some of this problem domain from the other direction - ensuring that
`git tag` has the same security properties as a tarball.
> hosted on rpm.org
Sure, why not, though of course github releases support attached artifacts, and
for e.g. bootc we generate a `git archive` as an artifact (alongside a Rust
vendor snapshot) attached to the github "release", so one doesn't need to host
out of band to have 100% fixed tarballs on github.
(I would still say though that IMO, distributions like Fedora should encourage
fetching directly from git and not use tarballs at all...which is something
that RPM is somewhat in a position to help encourage, but that's a bigger
discussion...)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3565#issuecomment-2654764696
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3565/2654764...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
