hash-stable source tarball release of torbrowser
Could torbrowser please provide a source tarball release, which has a stable hash?
The current releases are generated on-the-fly by git and a given release can have one hash today, but another hash tomorrow, even though it's the same release tarball.
This poses a problem in any scenario where hash-verification of the source tarball is needed.
Such is the case for instance with source-based GNU/Linux distros, like Gentoo. Package manager checks the hash of sources before building, for security and quality assurance reasons.
The stability does not mean that the sources must be available for extremely long time. It's OK if they vanish, because Gentoo has a mirroring system in place. The only requirement is that a given source URL has a constant hash.
Reference of a downstream bug: https://github.com/MeisterP/torbrowser-overlay/issues/14
Trac:
Username: w3ICKRsTMaxPeO