curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Reproducing the release tarballs

From: Dan Fandrich via curl-library <>
Date: Sat, 30 Mar 2024 20:40:12 -0700

On Sat, Mar 30, 2024 at 06:29:48PM +0100, Daniel Stenberg via curl-library wrote:
> Any proposals for how to document the exact set of tools+versions I use for
> each release in case someone in the future wants to reproduce an ancient
> release tarball?

SPDX seems to be the standard SBOM format for this that tools are starting to
expect. The format is able to handle complex situations, but given the very
limited scope needed in curl and for source releases only, once you get a
template file set up the first time filling in the details for every release
should be simple.

The spec is at but it's probably easier to
look at some simple examples to get a feel for it. Even running "reuse spdx" in
the curl tree (the same tool that's keeping curl in REUSE compliance in that CI
build) will output a SPDX file for curl. That one doesn't include the source
build dependencies that your interested in (because that's not what that
particular tool does) but could be a start of something. The curl SBOM could
also include Debian package names+versions as dependencies.

Received on 2024-03-31