Re: [PR] Add `build-attestation` goal [commons-build-plugin]

2026-03-30 Thread via GitHub 


ppkarwasz commented on PR #417:
URL: 
https://github.com/apache/commons-build-plugin/pull/417#issuecomment-4156733780

   I am closing this PR, since it has been replaced with 
apache/commons-release-plugin#422 in the other Maven plugin.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Add `build-attestation` goal [commons-build-plugin]

2026-03-30 Thread via GitHub 


ppkarwasz closed pull request #417: Add `build-attestation` goal
URL: https://github.com/apache/commons-build-plugin/pull/417


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Add `build-attestation` goal [commons-build-plugin]

2026-03-30 Thread via GitHub 


ppkarwasz commented on PR #417:
URL: 
https://github.com/apache/commons-build-plugin/pull/417#issuecomment-4154695422

   > It is odd that the dependency on Commons Codec `1.22.0-SNAPSHOT` doesn't 
show up as an addition in the GH UI. How is that possible?
   
   
   This PR is against a `codec-1.22.0` branch, so it doesn't accidentally end 
up in `master` before the Codec 1.22.0 release. The additional dependency was 
added in that branch.
   
   > > The generated in-toto attestation is pretty much work in progress and 
currently looks like:
   > 
   > I thought the JSON format was a standard? Surely we shouldn't invent our 
own, right?
   
   
   The [schema for SLSA Build 
attestations](https://slsa.dev/spec/v1.2/build-provenance#schema) does not 
strictly define all the components. The exact semantics of the document depend 
on the value of `predicate.buildDefinition.buildType`, which should be an URL 
to a human-readable document that describes the “build platform”. For example: 
https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1.
 I started to draft such a documentation for the Commons build process, but I 
haven't finished yet.
   
   In particular the schema of these elements is not defined:
   
   - `predicate.buildDefinition.internalParameters`,
   - `predicate.buildDefinition.externalParameters`,
   - `predicate.runDetails.builder.id`.
   
   > What does the sample document attest? Attesting a dependency on a snapshot 
like `commons-lang3-3.21.0-SNAPSHOT.jar` doesn't mean anything, since that's 
not reproducible.
   
   
   The sample document I shared is the result of calling `build-attestation` 
against the current `master` branch of `commons-lang3`. It contains:
   
   - In the `subject` field: all the artifacts attached to the build. Of 
course, since the goal is meant for Commons, we can decide to exclude in code 
the artifacts with type `tar.gz` and `zip`, which are not sent to Maven Central.
   - In `externalParameters` you'll find some parameters of the Maven execution 
that created the artifacts and the attestation: JVM args, some 
`MavenExecutionRequest` data and a selected list of environment properties that 
we know can influence reproducibility (`TZ` and locale, but I didn't set `TZ` 
this time).
   - In `resolvedDependencies` you'll find the details of my JDK and Maven 
installation. I tried also to capture the data usually available, when you call 
`mvn --version`, but due to classloader isolation they were not available.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Add `build-attestation` goal [commons-build-plugin]

2026-03-30 Thread via GitHub 


garydgregory commented on PR #417:
URL: 
https://github.com/apache/commons-build-plugin/pull/417#issuecomment-4154153367

   It is odd that the dependency on Commons Codec `1.22.0-SNAPSHOT` doesn't 
show up as an addition in the GH UI. How is that possible?
   
   I thought the JSON format was a standard? Surely we shouldn't invent our 
own, right?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Add `build-attestation` goal [commons-build-plugin]

2026-03-30 Thread via GitHub 


ppkarwasz commented on PR #417:
URL: 
https://github.com/apache/commons-build-plugin/pull/417#issuecomment-4153929821

   The build failure is probably due to a symbolic link to a directory in the 
runner's Java distribution. I will fix that in `commons-codec`.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Add `build-attestation` goal [commons-build-plugin]

2026-03-30 Thread via GitHub 


ppkarwasz commented on PR #417:
URL: 
https://github.com/apache/commons-build-plugin/pull/417#issuecomment-4153893679

   The generated in-toto attestation is pretty much work in progress and 
currently looks like:
   
   ```json
   {
 "_type": "https://in-toto.io/Statement/v1";,
 "subject": [
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT.jar",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?type=jar",
 "digest": {
   "sha256": 
"ee1651528c4192694e266ddca6020070e6ca5349f2d207c8f8315ecdc8b6d31e"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-javadoc.jar",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=javadoc&type=javadoc",
 "digest": {
   "sha256": 
"f2893c0a934aae85f0917d6789f56a1a3fd06fdddf6060ced991fe78ca161590"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-tests.jar",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=tests&type=test-jar",
 "digest": {
   "sha256": 
"b369929c076d7a1260662089cf7eca406ac0c249a728b59e6b33c9a663820928"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-sources.jar",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=sources&type=java-source",
 "digest": {
   "sha256": 
"fde78aa1ac57bd1859991ef9fe8af6c8cb5daf65858f232328eee54d989b51f5"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-test-sources.jar",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=test-sources&type=java-source",
 "digest": {
   "sha256": 
"3b40d7337ce62e56121a77d855e009a6aada65e71a3b265fab5aae5575af4097"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-cyclonedx.xml",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=cyclonedx&type=xml",
 "digest": {
   "sha256": 
"909a13f4cca6532d636bfac3b14fa7bd39534dd3a1c9e6ff0a1dcab4adbfcf7d"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-cyclonedx.json",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=cyclonedx&type=json",
 "digest": {
   "sha256": 
"ce14e90c8b82867046cd52217c7fa45acb7f9a9e6a3815db0f45a8044d50ffbc"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT.spdx.json",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?type=spdx.json",
 "digest": {
   "sha256": 
"2aeefe66942acc591768b1b6507a849addcd6accd36833963d5a43d0885f7c13"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-bin.tar.gz",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=bin&type=tar.gz",
 "digest": {
   "sha256": 
"8aa63ee5fc91f3c572e8efe1be1a899beac06f4cecb7f6ad09c51883925801a5"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-bin.zip",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=bin&type=zip",
 "digest": {
   "sha256": 
"54d82986f78cadbfa246a7b35d41a08b36adb6f67dc638dc16c6ea0d11419853"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-src.tar.gz",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=src&type=tar.gz",
 "digest": {
   "sha256": 
"46d16144d0a6a02931349fcad252b04e6d2f7feb2bd0103a67c212a1220636e4"
 }
   },
   {
 "name": "commons-lang3-3.21.0-SNAPSHOT-src.zip",
 "uri": 
"pkg:maven/org.apache.commons/[email protected]?classifier=src&type=zip",
 "digest": {
   "sha256": 
"6de609cc8ba5011231fa466e9cce68cc631c844754df0472600067fdca995ec9"
 }
   }
 ],
 "predicateType": "https://slsa.dev/provenance/v1";,
 "predicate": {
   "buildDefinition": {
 "buildType": "https://commons.apache.org/builds/0.1.0";,
 "externalParameters": {
   "maven.profiles": [
 "release"
   ],
   "maven.cmdline": "clean verify -Prelease -DskipTests=true",
   "jvm.args": [
 "--enable-native-access=ALL-UNNAMED",
 "-Dclassworlds.conf=/opt/maven/bin/m2.conf",
 "-Dmaven.home=/opt/maven",
 "-Dlibrary.jansi.path=/opt/maven/lib/jansi-native",
 
"-Dmaven.multiModuleProjectDirectory=/home/piotr/workspace/commons/lang"
   ],
   "maven.user.properties": {
 "skipTests": "true"
   },
   "maven.goals": [
 "clean",
 "verify"
   ],
   "env": {
 "LANG": "pl_PL.UTF-8"
   }
 },
 "internalParameters": {},
 "resolvedDependencies"