On 2026-04-28 at 08:40:05, Simon Richter wrote:
> Hi,
> 
> in Debian, we're shipping "original" tarballs for each software package, and
> the Debian specific changes in a separate file.
> 
> Historically, this users could do a bitwise comparison of the original
> tarball and the one in Debian to verify that these were unchanged.
> 
> With git, some authors have stopped releasing official tarballs, so we're
> using git-archive a lot -- but this is reproducible only by accident. GitHub
> also prepares some release tarballs that may or not be bitwise identical to
> what git archive produces.

I'll just note that we don't make any guarantees that `git archive`
produces identical output across versions.  Incorrectly making that
assumption broke kernel.org when we changed the format in the past.

Also, if you use `export-subst`, then it's possible to emit short object
IDs, which can differ in length depending on how many objects are in the
repository.  It's also possible to use zlib or pigz instead of gzip to
produce tarballs, in which case the compressed data will also differ.

I had intended to create and emit a standard, reproducible format for
`git archive`, but never got around to finishing that.  Perhaps I'll try
to pick it up at some point; I expect it will be easier to implement now
that we have Rust support in the tree.

When I was one of the maintainer of Git LFS, we intentionally produced
source tarballs specifically to emit bit-for-bit identical artifacts.
-- 
brian m. carlson (they/them)
Toronto, Ontario, CA