8 comments

[ 573 ms ] story [ 984 ms ] thread
Caveat: GitHub zips/tarballs are generated on-demand and cached, so they're problematic for bit-for-bit reproducibility:

https://lists.gnu.org/archive/html/bug-guix/2017-10/msg00070...

Of course, you can just clone the git repo.

Interesting. I'm using them in most of my PKGBUILDs together with once-recoreded SHA256 checksums, and I haven't noticed any reproducibility issues yet.
> zips/tarballs are generated on-demand and cached

Isn't that a deterministic process? I thought if you zipped the same directory twice, you'd get exactly the same bits in the two archives.

Probably a timestamp. They're surprisingly pervasive.
> Of course, you can just clone the git repo.

Cloning a repo is more intensive on Github's infrastructure then grabbing a zip file or tarball and pushing it into an object store with heavy caching in front of it. There was an open source project that was using excessive resources within Github's infrastructure by using git clone to update itself over a large audience.

https://news.ycombinator.com/item?id=11245652

https://github.com/CocoaPods/CocoaPods/issues/4989#issuecomm...