Hi Piotr It sounds reasonable to me.
If you mean reproducible build (the build from the same source should create the same artifact), I submitted some changes a while ago, adding fixed file order, etc. We should be good (https://github.com/apache/iceberg/pull/8826). I would add an additional check on the source distribution: the source distribution should not contain any unexpected binary file (gradle wrapper is OK, but other binary should be avoided). Similar to dev/check-license script, maybe we can add a script helping reviewers (somelike like dev/check-rc) to already do some checks. If there is no objection, happy to work on this :) Regards JB On Tue, Aug 20, 2024 at 3:35 PM Piotr Findeisen <piotr.findei...@gmail.com> wrote: > > Hi All, > > Hi > > The release verification [1] includes testing release source tarball builds > and also testing the binaries with downstream projects. > > Does it also contain, should it contain or is it a conscious omission of: > > 1. verifying the source tarball is what it should be (source matches the git > repo state) > 2. verifying the binaries are what should be built from the source > ("repeatable builds") > > Best > Piotr > > [1] > https://iceberg.apache.org/how-to-release/#validating-a-source-release-candidate > . >
