Just tried at the drools repo and it failed in the reproducible build when I run `mvn clean verify artifact:compare` :(
On Fri, Jun 14, 2024 at 12:08 PM Jan Šťastný <[email protected]> wrote: > > Hello all, > > In discussion with security team I've been asked to provide answers to > following questions on how we fullfil security requirements that go with > the automated GPG signing in ci environment: > > https://infra.apache.org/release-signing.html#automated-release-signing > requires that the build is binary reproducible and that "The release > procedure contains a validation step where all artifacts are reproduced on > trusted hardware ( > https://www.apache.org/legal/release-policy.html#owned-controlled-hardware) > before publication to pages intended for end users" > > I'd like to ask everyone for assistance, especially in confirming that our > builds are reproducible , but also help me to interpret the trusted > hardware request. > > More I think about this the more I tend to think we will be asked to > provide some documentation of how we release as a reference. > > Regards > Jan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
