Tarballs
Nathan Ward
lists+freeradius at daork.net
Mon Jul 6 03:37:06 CEST 2020
> On 6/07/2020, at 13:24, Alan DeKok <aland at deployingradius.com> wrote:
>
>> The GitHub tarballs have a differently named root folder, so the signature checking is failing. Hashes show they're different:
>
> Yes. We create our own tarballs and sign those. When we tag a release, GitHub *also* creates it's own tarballs, which are different.
>
> GitHub doesn't seem to have a way to upload our own tarballs. And TBH, I won't sign random things created by a third party.
When you create a “Release” in GitHub you can upload a “binary”. That can be a tgz of source code.
It’s not ideal, as you still get “Source Code” zip and tgz options in the release download page - but it could work around this issue.
You can reduce the “Source Code” zip contents to nil by using gitattributes export-ignore to tell GitHub not to export certain files (and make it match files), but that means anyone doing archive generation for whatever reasons will be confused.
--
Nathan Ward
More information about the Freeradius-Users
mailing list