potiuk commented on PR #43557: URL: https://github.com/apache/airflow/pull/43557#issuecomment-2450650950
> > it caused the packages generated to be binary non-reproducible. > > What does this mean? All the packages we re;ease in airflow are binary reproducible - which means that whoever builds them gets the excat binary identtical packages (or that's how it was supposed to be but there was this bug). This follows the highly recommended in ASF (and in the future likely mandatory or at least expected until you have good reason not to have them) property of produced artifacts to be binary reproducible as this heavily improves security propoerty - especially for supply dependency chain. We implemented reproducible builds with the help of Sovereign Tech Fund fund last year. And all our builds are (well - not reallly, there is this bug which made them not reproducible). We added reproducible check as one of the gates to pass when we vote by the PMC - some 5 moths ago - this is actually how I found today that our provider package builds are not reproducible today. The new `Apache Trusted Releases` platform to release packages that ASF infrastructure works on (and soon there will likely be beta - likely and we wil be one of the first users of I hope) will have specifilc features desgned around binary reproducibility that will make it more secure (for example binary reproducibility adds another layer of protection - for example with build reproducibility, you can vastly simplify the checks if the hardware that you use to build packages on or tooling you use to build your packages have not beem compromised. Also binary reproducibility is pre-requisite (from the ASF policies point of view) to automate uploads of the artifacts of our to PyPI direcfly via Github Actions (this is tracked and hopefully we will have it soon https://github.com/apache/airflow/issues/41937) via Trusted Publishing - which is yet another level of security of distrubution that we work on together with the ASF and PSF for Airflow and for Airflow software supply chain (Trusted Publishing is part of the "Airflow Beach Cleaning" i work on) You can read more about buld reproducibility and why it matters here: https://reproducible-builds.org/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
