curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Reproducing the release tarballs

From: Daniel Stenberg via curl-library <>
Date: Sat, 30 Mar 2024 18:29:48 +0100 (CET)


In the light of the xz attack, I would like to mention that in order to
reproduce the tarballs I upload for curl release, this is necessary:

- Clone the repo and checkout the release tag

- Install the same set of tools + versions I use

- run "./maketgz [version]"

For the most recent curl release, my toolset that I believe might affect the
results include:

- autoconf (GNU Autoconf) 2.71
- automake (GNU automake) 1.16.5
- libtoolize (GNU libtool) 2.4.7
- GNU Make 4.3
- perl v5.38.2
- git version 2.43.0

(make, perl and git most probably have very little effect but I figure
including them in the list could be worth it since they are invoked in the
release process)

Any proposals for how to document the exact set of tools+versions I use for
each release in case someone in the future wants to reproduce an ancient
release tarball?

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2024-03-30