Task Todo List Unstable GNU translations
Since the RFC about source transparency[1] we noticed some reproducible builds issues with GNU projects.
Their git repositories do not contain the entire (what we consider) source code and building from git causes downloads of additional files that aren't pinned by cryptographic checksums.
The packages can be reproduced shortly after they've been released, but become unreproducible over time. In some cases the package starts to fail-to-build-from-source because our integrity checks for source code inputs are failing (due to upstream editing)[2].
In some packages we fixed this already by taking the translations out of the released dist tarballs[3][4] (which is not elegant, but the best compromise at the moment).
The list is incomplete and updated as more instances are found.
[1]: https://rfc.archlinux.page/0046-upstream-package-sources/#transparency
[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/gdbm/-/issues/3
[3]: https://gitlab.archlinux.org/archlinux/packaging/packages/coreutils/-/merge_requests/2
[4]: https://gitlab.archlinux.org/archlinux/packaging/packages/wget/-/merge_requests/2
Filter Todo List Packages
| Arch | Repository | Name | Current Version | Staging Version | Maintainers | Status | Last Touched By |
|---|---|---|---|---|---|---|---|
| x86_64 | Core | diffutils | 3.12-2 | seblu, eworm | Incomplete | ||
| x86_64 | Core | gdbm | 1.26-1 | dvzrv | Incomplete | ||
| x86_64 | Core | grep | 3.12-2 | seblu, eworm | Incomplete | ||
| x86_64 | Core | grub | 2:2.14rc1.r54.g29f3131a-2 | tpowa, eworm | Incomplete |