Hi Phil,
> >
> > You either need to make and host your own, or download from the
> > github mirror ( https://github.com/osmocom/gr-iqbal/releases )
>
> Standard warning, github is known to regenerate tarballs with
> different contents that lead to sha has mismatches with time making
> it hard to validate the downloaded tarball. Don't depend on githb
> downloaded tarballs if you care about supply chain integrity.
This is a bit imprecise: The contents of the tarball are not
different, but rather are timestamps might differ for _automatic_
generated tarballs. This is due to GitHub sometimes regenerating
tarballs on the fly.
If a release tarball is created manually and
uploaded as asset for a release tag there is no problem.
Cheers
A
No comments:
Post a Comment