Jep; that's why I also upload all GNU Radio release tarballs to github. Cheers Marcus On Wed, 2020-01-08 at 17:59 +0100, Andrej Rode wrote: > Hi Phil, > > > > > You either need to make and host your own, or download from the > > > github mirror ( https://github.com/osmocom/gr-iqbal/releases ) > > > > Standard warning, github is known to regenerate tarballs with > > different contents that lead to sha has mismatches with time making > > it hard to validate the downloaded tarball. Don't depend on githb > > downloaded tarballs if you care about supply chain integrity. > > This is a bit imprecise: The contents of the tarball are not > different, but rather are timestamps might differ for _automatic_ > generated tarballs. This is due to GitHub sometimes regenerating > tarballs on the fly. > > If a release tarball is created manually and > uploaded as asset for a release tag there is no problem. > > Cheers > A >
smime.p7s
Description: S/MIME cryptographic signature
