Hi Gary, On Tue, 19 Dec 2023 at 14:05, Gary Gregory <garydgreg...@gmail.com> wrote: > Do note that building from sources, not git, is an Apache requirement. IIRC > reproducibility is a nice-to-have for Apache, but are we making this a > Logging or Log4J requirement?
Reproducibility is a requirement from the Apache Security team to allow publishing CI-generated artifacts. Since we don't own the machine that generates the artifacts, we must check the results it gives us. Of course I am taking reproducibility to an extreme: nobody (even `jvm-repo-rebuild/reproducible-central`) cares if Javadoc or source JARs are reproducible. And this is the case of 3.0.0-beta1 RC1: the `test-sources.jar` files are not reproducible, while the rest is. Piotr
