Publish PGP signed tarball without generated content?
Stuart Henderson
stu at spacehopper.org
Thu Apr 18 19:33:31 AEST 2024
On 2024/04/18 09:51, Corinna Vinschen wrote:
> On Apr 18 08:50, Simon Josefsson wrote:
> > Damien Miller <djm at mindrot.org> writes:
> >
> > > I think we're going to check in the autoconf-generated files on the
> > > release branches instead.
> >
> > Ok that may also achieve the same goal of reproducible release tarballs
> > built from source code.
> >
> > With that approach, the tarball depends on which autoconf version was
> > used by the release manager, and perhaps other things from the
> > environment.
> >
> > Could you document how to re-generate the release tarball including
> > mentioning which autoconf version that you used?
>
> The autoconf version used to generate the files is always put in the
> headers of the generated files.
What is ostensibly the same autoconf version can sometimes generate
different output, as some OS packages include patches to autoconf.
This is usually pretty obvious in a diff though.
More information about the openssh-unix-dev
mailing list