Simon Josefsson wrote: > The only way to really be sure is to continously do 'make release' etc > in CI/CD from fresh git and compare with your local tarballs. I do this > for several projects (libidn, libtasn1, inetutils, ...), and for > inetutils I get reproducible tarballs (with some uncommitted fixes). > I'm having serious problems getting releases out the door due to some > small nit causing tarball reproducibility problems, or messing up the > release process.... But .version and .tarball-version files has not > been involved in any reproducibility problem that I've noticed.
Most package maintainers don't go through such hoops for reproducible tarballs. They just follow a certain recipe (from a writeup or from memory) and sometimes forget one step. If there are bugs in the GNUmakefile regarding the release process, we need to fix them. While you are right that comparing with a fully machine-generated tarball is a way to find such bugs, I doubt that many maintainers will do this. Bruno
