Publish PGP signed tarball without generated content?

Simon Josefsson simon at josefsson.org
Thu Apr 18 16:50:55 AEST 2024


Damien Miller <djm at mindrot.org> writes:

> I think we're going to check in the autoconf-generated files on the
> release branches instead.

Ok that may also achieve the same goal of reproducible release tarballs
built from source code.

With that approach, the tarball depends on which autoconf version was
used by the release manager, and perhaps other things from the
environment.

Could you document how to re-generate the release tarball including
mentioning which autoconf version that you used?

That would probably be sufficient to allow people to reproduce the
release tarballs, and to allow people to audit that all generated files
in the tarball were generated from the corresponding source code.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240418/d11604ea/attachment.asc>


More information about the openssh-unix-dev mailing list