> Note that last I heard, git makes no promises that the output of git archive
> will forever be reproducible either, although I don't think it has changed in
> practice. IIRC github changed their archive generation a while ago, then
> backed off from it.
Well, I said as much in the description:
We want our source releases to be bit per bit identical to what you get
straight out of git, with zero build steps to generate content, defined by a
git tag. We still want a stable archive of that content generated and hosted on
rpm.org because, GH archive creation could change any day and render checksums
unverifiable.
The bit-per-bit output of git-archive may change and make the exact *archive*
non-reproducible at an unknown point in the future, but the actual *contents*
will still match bit-per-bit, and that's what ultimately matters. And we don't
have that now, because the source releases contain some amount of *built* data.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3565#issuecomment-2655498635
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3565/2655498...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
