Hi!
On 3/30/24 1:27 AM, Sebastian Bergmann wrote:
Am 30.03.2024 um 05:17 schrieb Ben Ramsey:
This is also why our release managers sign the tarballs with their own
GPG keys, after generating the artifacts. This verifies the release
manager was the one who generated the files.
But does the release manager generate the files (and the tarball) in a
reproducible way?
I understand that's what ./scripts/dev/makedist and
./scripts/dev/genfiles do, but I suspect exact bits in resulting
configure and lexers may depend on the exact version of tools & utils
used. For upstream packagers like distros I'd likely recommend using
these tools directly anyway, and not rely on what's in the package.
--
Stas Malyshev
smalys...@gmail.com