Publish PGP signed tarball without generated content?

Stuart Henderson stu at
Thu Apr 18 19:35:39 AEST 2024

On 2024/04/18 10:06, Damien Miller wrote:
> I think we're going to check in the autoconf-generated files on the
> release branches instead. 

That seems a sane approach. 

> On Wed, 17 Apr 2024, Simon Josefsson wrote:
> > and then publish the resulting openssh-9.7p1-src.tar.gz and
> > openssh-9.7p1-src.tar.gz.asc files, preferably using a version of git
> > that leads to archives that are identical to what GitHub currently
> > publish.

More than git is involved in this - it also depends on versions of
things like tar and gzip. And github don't guarantee that these files
won't change.

More information about the openssh-unix-dev mailing list