[openstack-dev] [all] [stable] No longer doing stable point releases

Alan Pevec apevec at gmail.com
Mon Jun 1 07:13:42 UTC 2015


> You will get different checksums with tar and/or gzip, you can check the
> extracted files and they should be the same.

Yes, content is the same, it's just difference in timestamps of
folders and generated files (ChangeLog, egg-info etc).

> I would like to see signed commits in the 'official' repos (at
> git.openstack.org), if only because relying on sha alone doesn't seem
> enough for some.

Yeah, maybe RPM and I are just too old and should drop reproducibility
requirement :)
It might be nitpicking to expect exact same bits but it seems that
only missing part is an option to tell sdist to set specific timestamp
on generated files and folders.


Cheers,
Alan



More information about the OpenStack-dev mailing list