Tarballs

Nathan Ward lists+freeradius at daork.net
Mon Jul 6 03:37:06 CEST 2020


> On 6/07/2020, at 13:24, Alan DeKok <aland at deployingradius.com> wrote:
> 
>> The GitHub tarballs have a differently named root folder, so the signature checking is failing. Hashes show they're different:
> 
>  Yes.  We create our own tarballs and sign those.  When we tag a release, GitHub *also* creates it's own tarballs, which are different.
> 
>  GitHub doesn't seem to have a way to upload our own tarballs.  And TBH, I won't sign random things created by a third party.

When you create a “Release” in GitHub you can upload a “binary”. That can be a tgz of source code.
It’s not ideal, as you still get “Source Code” zip and tgz options in the release download page - but it could work around this issue.

You can reduce the “Source Code” zip contents to nil by using gitattributes export-ignore to tell GitHub not to export certain files (and make it match files), but that means anyone doing archive generation for whatever reasons will be confused.

--
Nathan Ward



More information about the Freeradius-Users mailing list