GNU bug report logs -
#76860
[PATCH] Reproducible tarballs for releases
Previous Next
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Severity: wishlist
I propose that we ensure reproducibility in our release tarballs by
applying the recommended GNU Tar options. Please see the attached
patch.
The main value of reproducible tarballs is that they allow anyone --
whether downstream packagers, security auditors, or independent
developers -- to verify that the official release tarball matches the
corresponding source repository exactly.
This is particularly useful for:
1. Supply chain security. Ensuring that the tarball is built from the
expected source, with no accidental or malicious modifications.
2. Downstream distributions. Some distributions, like Debian and Guix,
strongly prefer reproducible builds to improve verifyability and
package integrity.
3. Debugging and consistency. Developers can regenerate the exact same
tarball locally, making it easier to debug, compare versions, or
audit historical releases.
Even if we're the only ones who generate official tarballs, making them
reproducible improves transparency and verifiability, which are
worthwhile goals on their own.
This approach follows the official GNU Tar manual guidelines:
https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html
[0001-Make-release-tarball-more-reproducible.patch (text/x-patch, attachment)]
This bug report was last modified 99 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.