Calling the release script twice, we end up with different checksums because the tarball is generated from a copy of the files to release/build, which change their metadata (date of last modified and creation). It would be nice to be able to reproduce them and make sure they tarball hasn't been tempered with easily, without having to extract it and diff -rua them.
The binaries though seem to be reproducible, if given the same software at least (tested with opam-2.4.1-x86_64-linux)
Calling the release script twice, we end up with different checksums because the tarball is generated from a copy of the files to
release/build, which change their metadata (date of last modified and creation). It would be nice to be able to reproduce them and make sure they tarball hasn't been tempered with easily, without having to extract it anddiff -ruathem.The binaries though seem to be reproducible, if given the same software at least (tested with
opam-2.4.1-x86_64-linux)