Replies: 1 comment 1 reply
-
There are also many other people who build curl from source. They don't need to have the autotools installed. on GitHub tarballsGiven GitHub's own comments on reproducibility of their tarballs, they seem less certain: "If you rely on stable archives for security (ensuring you don’t accidentally trigger a tarbomb, for example), we recommend you switch to release assets instead of using source downloads" I hesitate starting to sign GitHub tarballs because I fear that it risks increasing the confusion about what a curl release is. A release is a release tarball. They come in four different compression formats. They are signed. To generate a release-build directly from a git tag, you can't just check out the code and build it since it will not match what the corresponding tarball. I believe we don't even document that procedure since we don't encourage taking that route. The version and timestamp need to be set in |
Beta Was this translation helpful? Give feedback.
-
I did this
(First of all, sorry for being so late, this is a followup on "Reproducible tarballs" from this blogpost)
The steps needed to "reproduce the source code tarballs" is quite involved and I consider autotools pre-processing part of the regular build process that should happen on the Linux distro's build servers (so it's covered by reproducible builds infrastructure that e.g. Arch Linux operates).
The tarball Github provides is already reproducible, you can download a
git archive
snapshot of the git tree-ish from here:I couldn't find a corresponding
curl-8_7_1.tar.gz.asc
, but I think there should be one.You don't need to sign the tarball downloaded from Github, you can generate it locally:
But since the files are supposed to 100% match, the signature would be valid for the Github generated tarball too.
If the prefix and compression bother you, I'd recommend to sign this instead (note
.tar
instead of.tar.gz
):Since
git archive
is deterministic, the generated file is expected to have a sh256 ofd889aa963bb0d5f55801d122bda82f841e7807242195c5ceed2d30fdccfd2595
(givencurl-8_7_1
points to de7b3e8). This hash is also how Arch Linux references the source code of curl:https://whatsrc.org/artifact/sha256:d889aa963bb0d5f55801d122bda82f841e7807242195c5ceed2d30fdccfd2595
While most of the other distros use the autotools pre-processed (but signed) tarball:
https://whatsrc.org/artifact/sha256:99032a437fbcb38a37f35f23712bbeb6489be112450e02443e16786d3d745b31
Thanks for your attention!
I expected the following
There should be a signature on the pristine source code snapshot taken with
git archive
.curl/libcurl version
8.7.1
operating system
Arch Linux
Beta Was this translation helpful? Give feedback.
All reactions