lhotari opened a new issue, #23477: URL: https://github.com/apache/pulsar/issues/23477
### Search before asking - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Motivation [Reproducible builds](https://reproducible-builds.org/) increase the security and integrity of the software supply chain. They allow verification that no vulnerabilities or backdoors have been introduced during the compilation process. This is particularly important for privacy and security-focused software like Apache Pulsar. ### Solution Implement reproducible builds for Apache Pulsar by: 1. Making the build system deterministic (e.g., removing timestamps, ordering output consistently) 2. Defining or recording the build environment and tools 3. Providing a way for users to recreate the build environment and validate the output 4. Ensure that the checks pass at https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/pulsar/README.md ### Alternatives No direct alternatives considered. Not implementing reproducible builds leaves the project more vulnerable to potential supply chain attacks. ### Anything else? This enhancement aligns with industry best practices and recommendations from security organizations like the NSA and CISA for improving software supply chain security. ### Are you willing to submit a PR? - [X] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
