|
|
|
|
|
|
by ErikCorry
1236 days ago
|
|
|
1) Ah of course, this is SHA256, my mistake. 2) If I and the upstream are both looking at a file that was generated by Github then the Sha may match, but that doesn't prove we weren't both owned by Github. Perhaps what I am missing is that this isn't part of a reproducible build scenario. There's no attempt to ensure that the file Github had built is the one I would build with the same starting point. |
|
|