Nathan Ward lists+freeradius at daork.net
Mon Jul 6 03:37:06 CEST 2020

> On 6/07/2020, at 13:24, Alan DeKok <aland at deployingradius.com> wrote:
>> The GitHub tarballs have a differently named root folder, so the signature checking is failing. Hashes show they're different:
>  Yes.  We create our own tarballs and sign those.  When we tag a release, GitHub *also* creates it's own tarballs, which are different.
>  GitHub doesn't seem to have a way to upload our own tarballs.  And TBH, I won't sign random things created by a third party.

When you create a “Release” in GitHub you can upload a “binary”. That can be a tgz of source code.
It’s not ideal, as you still get “Source Code” zip and tgz options in the release download page - but it could work around this issue.

You can reduce the “Source Code” zip contents to nil by using gitattributes export-ignore to tell GitHub not to export certain files (and make it match files), but that means anyone doing archive generation for whatever reasons will be confused.

Nathan Ward

More information about the Freeradius-Users mailing list