@kpcyrd mentioned in #reproducible-builds on 2014-07-25 that it seems that in the tar.gz we generate we do not sort the files the same way as git archive and github tar downloads and tar --sort=name . (Github downloads usually match git -c tar.tar.gz.command="gzip -cn" archive --prefix="$NAME-$VERSION/" -o archive.tar.gz "$TAG".)
@kpcyrd mentioned in #reproducible-builds on 2014-07-25 that it seems that in the tar.gz we generate we do not sort the files the same way as git archive and github tar downloads and tar --sort=name . (Github downloads usually match
git -c tar.tar.gz.command="gzip -cn" archive --prefix="$NAME-$VERSION/" -o archive.tar.gz "$TAG"
.)We sort at https://github.com/openSUSE/obs-service-tar_scm/blob/master/TarSCM/archive.py#L234
Also permission mode is 0o755 vs 0o775.
Example: diff https://whatsrc.org/diff/sha256:0edf2381dfe48feaf65c117fa51e5c9231ad8d659d102d14a3481e9b2af42b36/sha256:2e5fca25b4d4ee6c6a9556795cf958537cf3401d51268fec86b3c0af1be945f5 that compares https://github.com/google/osv-scanner/archive/v1.8.2/osv-scanner-1.8.2.tar.gz with buildtime generated tar from .src.rpm from https://build.opensuse.org/package/show/openSUSE:Factory/osv-scanner