Simon Richter <[email protected]> writes: > Hi, > > On 1/8/26 5:01 PM, Simon Josefsson wrote: > >> Things stored in git doesn't offer those guarantees. Neither the git >> repository, nor a git-bundle or a git-archive output provide long-term >> archival properties. I'm not aware of any documented/supported way to >> reproduce a particular artifact from a git repository 20 years ahead. >> Even to the contrary: git is more or less documented to NOT offer this >> functionality, since changes are happening. > > Right, we need to keep that in mind, even if git-archive happens to > behave like this right now.
It doesn't behave like that right now. If you run 'git archive' from a set of common distributions release in the past 5 years you will have several different variants: 1) RHEL8/9, Ubuntu 24.04+, Debian 12+, Guix: modern variant. 2) RHEL 10 eco-system: zlib-ng, different compression. I'm trying to ignore this, but it is becoming harder as RHEL10 spreads. 3) Ubuntu 22.04 eco-system: export-subst has a long git describe substitution. 4) Debian 11 eco-system: no export-subst support. Comparing GitHub, GitLab, Codeberg etc generated archives (which may or may not use 'git archive' internally) over the last 5 years also gives different outputs. I don't think we can view 'git archive' as a stable output format. It is a temporary snapshot mechanism, and the format is in continous a moving target, and documented to be that. > OTOH I think we can make signatures on bundles work by using the > object ID of the ref we're signing, and verifying internal > consistency. If someone can come up with a recipe to create a git bundle that can be re-created bit-by-bit identical later on, that would help! Here was my last attempt to do this: https://blog.josefsson.org/2025/07/31/independently-reproducible-git-bundles/ It was reproducible unless the git repository see further commits. Pruning later commits somehow from the git bundle should be possible, and then things would be reproducible again. But I don't know how. There is some advice from git people how to do it: https://lore.kernel.org/git/[email protected]/t/#md469596b6b95790efe045e408b1d2f19503048cd However it looked so hacky I really didn't want to go down that road, hoping someone else would come up with a better way to do this. Help? /Simon
signature.asc
Description: PGP signature
