openssh unix dev - Apr 2024 - Publish PGP signed tarball without generated content?

Damien Miller <djm at mindrot.org> writes:
> I think we're going to check in the autoconf-generated files on the
> release branches instead.
Ok that may also achieve the same goal of reproducible release tarballs
built from source code.

With that approach, the tarball depends on which autoconf version was
used by the release manager, and perhaps other things from the
environment.

Could you document how to re-generate the release tarball including
mentioning which autoconf version that you used?

That would probably be sufficient to allow people to reproduce the
release tarballs, and to allow people to audit that all generated files
in the tarball were generated from the corresponding source code.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240418/d11604ea/attachment.asc>

On Apr 18 08:50, Simon Josefsson wrote:
> Damien Miller <djm at mindrot.org> writes:
> 
> > I think we're going to check in the autoconf-generated files on
the
> > release branches instead.
> 
> Ok that may also achieve the same goal of reproducible release tarballs
> built from source code.
> 
> With that approach, the tarball depends on which autoconf version was
> used by the release manager, and perhaps other things from the
> environment.
> 
> Could you document how to re-generate the release tarball including
> mentioning which autoconf version that you used?
The autoconf version used to generate the files is always put in the
headers of the generated files.


Corinna