Damien Miller <djm@xxxxxxxxxxx> writes: > I think we're going to check in the autoconf-generated files on the > release branches instead. Ok that may also achieve the same goal of reproducible release tarballs built from source code. With that approach, the tarball depends on which autoconf version was used by the release manager, and perhaps other things from the environment. Could you document how to re-generate the release tarball including mentioning which autoconf version that you used? That would probably be sufficient to allow people to reproduce the release tarballs, and to allow people to audit that all generated files in the tarball were generated from the corresponding source code. /Simon
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
