> I'm getting the same checksum on multiple downloads of the same tarball here
Having slept on it, I realized this doesn't mean anything; even if GitHub
generated the archive on-the-fly for every request, `git archive` (which it
reportedly uses underneath) would still produce the same bit-by-bit archive
every time, of course.
> not sure if we could rely on it never changing (for the given release)
According to this [LWN article](https://lwn.net/Articles/921787/) (and the
associated GitHub [blog
post](https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/)),
this is indeed *not* guaranteed:
> GitHub doesn’t guarantee the stability of checksums for automatically
> generated archives. These are marked with the words “Source code (zip)” and
> “Source code (tar.gz)” on the Releases tab. If you need to rely on a
> consistent checksum, you may upload archives directly to GitHub Releases.
> These are guaranteed not to change.
Thus, we just need to continue producing our own tarballs, even if we start
doing GitHub releases.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3565#issuecomment-2656196205
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/3565/2656196...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint
