From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id htS5B4XlNV9KWwAA0tVLHw (envelope-from ) for ; Fri, 14 Aug 2020 01:14:45 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 4DMCA4XlNV++awAAB5/wlQ (envelope-from ) for ; Fri, 14 Aug 2020 01:14:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8A6739404E2 for ; Fri, 14 Aug 2020 01:14:44 +0000 (UTC) Received: from localhost ([::1]:40090 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k6OIt-00032P-89 for larch@yhetil.org; Thu, 13 Aug 2020 21:14:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55006) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k6NCc-0001o8-Qw for guix-devel@gnu.org; Thu, 13 Aug 2020 20:04:10 -0400 Received: from bluehome.net ([96.66.250.149]:58884) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k6NCX-0004db-Qg for guix-devel@gnu.org; Thu, 13 Aug 2020 20:04:10 -0400 Received: from pc (pc.lan [10.0.0.51]) by bluehome.net (Postfix) with ESMTPSA id 8ED9D4B40024; Thu, 13 Aug 2020 17:04:00 -0700 (PDT) Date: Thu, 13 Aug 2020 17:03:58 -0700 From: Jason Self To: Vagrant Cascadian Subject: Re: Linux-libre git repository Message-ID: <20200813170358.0bc41b92@pc> In-Reply-To: <87wo22bihy.fsf@ponder> References: <87d03vv0nm.fsf@netris.org> <87wo22bihy.fsf@ponder> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; boundary="Sig_/+b6dZYMqwHCrH7g1.XbMyGS"; protocol="application/pgp-signature" Received-SPF: pass client-ip=96.66.250.149; envelope-from=jason@bluehome.net; helo=bluehome.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/13 20:04:01 X-ACL-Warn: Detected OS = Linux 3.11 and newer [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Thu, 13 Aug 2020 21:13:51 -0400 X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -0.61 X-TUID: Bd7frsJIx60W --Sig_/+b6dZYMqwHCrH7g1.XbMyGS Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 13 Aug 2020 09:47:21 -0700 Vagrant Cascadian wrote: > It is also possible to retrieve tarballs directly from linux-libre git > tags, though I know at least projects hosted on github this does > occasionally result in non-identical tarballs. Not sure what factors > might trigger this, other than changing tags, but possibly different > git versions, tar versions and flags, and compression tool versions > and optimizations could be a factor. Reproducible builds has > documented some potential causes: Adding in compression changes this because, for just one example, compression details can change between versions of compressors. Assuming that there is no compression and there aren't changes in the underlying git repository and assuming that git archive is invoked with precisely the same parameters each time, git archive is supposed to generate bit-identical tarballs between different platforms/versions of git (it's considered a bug if it doesn't.) Indeed, the Linux stable tree takes advantage of this reproducibility by adding a GPG signature for the uncompressed tarballs as a git note under refs/notes/signatures/tar. The signature also includes a comment with the precise command to regenerate the uncompressed tarball with git archive. This then makes it possible to verify a GPG signature of an uncompressed tarball that way. An example is [0]. cgit automatically adds the (sig) link when the corresponding git note is added in refs/notes/signatures/tar but they can also be accessed directly from within git. I found that useful after learning that GPG signatures within git itself "only validate the commit file contents up to the SHA-1 of the top level tree, it's not a GPG signature of the entire tree state. This means that a SHA-1 collision on the tree object, or any blob object, still results in a valid GPG signature." It seemed to be a neat way to sidestep the whole matter of SHA-1 falling apart, at least until git moves on to SHA-2 at some as-yet-unknown future point. Anyway, the Linux-libre git repository similarly contains GPG signatures for the uncompressed tarballs but as tags not as a git note but either way the outcome is the same. [0] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ refs/notes/signatures/tar --Sig_/+b6dZYMqwHCrH7g1.XbMyGS Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJfNdTwAAoJEJ0NsxtUWjGYSpUP/0I6xY8B65MK0bR08zmyvRdx gpnYoiII5aRV5TrmXZxvJwGYFyxeFQ9irDE3YQ5iOqVT3UrUd534Z2LQe1Vou5Hq lhtNIr3jnozydQrCINnGpUigAOqUhsbipGSPMtoQIXbQnSnsh5hWiB+36ccJUFCk 34STFTLtiH/F6iaVG/DkmpnudQ65f4b6DQ30/p9oYhpcnouEDkFfhH3psQp/yMJ6 oF2q0jF4WEnwDVHt+ZCqptLFMmOPNKH/mDa6J8+EtgzjL9J2SaeR1iBACdcFN+VE 8VcSS46sPsKrp7ZisTiAH/h2HqKyMAAq0YAJdbI2DGEVB8+MIK7thwYaE2fD+UIf PtGgtksQYPm4OKCnsqJbvRCXWn0yKhEiLOfy0z7dKjO0iHbyG0g2/hmcbz4UUmhF fYqX4pyrZsjZLZSz9ITVBGV0gV5Zw5Lwm5lbD1tPPlwwEFPUQIS+Rv1w2WVp/thc evs994XnZDrPobjymxBVfReoLJPZ/k7x3iTZhtndXZUPuuS1fcVmd9tbXKLiAYDq 8ni2yR6D2StCFPnCzZq0DLYwijDjBWeHu0wjbPYtKnwp/PdtXMUFHbaIN92PVjqG RDde0abtBTC9UbtCDce2Sn6vbs5fr/MPmsmOYQOIPc+y0D77moI3wots3P3dsmZ/ 0zQZJ3Gg0qLyW4glJk/Q =F3Rz -----END PGP SIGNATURE----- --Sig_/+b6dZYMqwHCrH7g1.XbMyGS--