On 25. 06. 21 14:54, Miroslav Suchý wrote:
Dne 25. 06. 21 v 14:50 Miro Hrončok napsal(a):
AFAIK git does not grantee to produce byte2byte identical archives across
different versions of git, zlib, gzip etc. So even if upstream signs the
git generated archive, generating a byte2byte identical one might be tricky.
Neither git nor tar can do that. But it is not impossible. E.g. Tito [1] has
some hacks on top of git-archive which produces identical tar-balls.
That would require our upstreams to use tito (or similar), which we are in
many case unlikely to affect.
I do not expect that. I rather meant that it is technically possible and Packit
can "steal" that code from Tito.
What I meant is that even if Packit has an ability to create reproducible git
tarballs, upstream would need to sign Packit-generated tarballs, which would
require much higher level of Fedora's involvement to the upstream release
process than is usual for independent upstreams.
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
