On Fri, Dec 5, 2025 at 7:36 PM Manfred Moser <[email protected]> wrote:
> I work for Chainguard and we are rebuilding artifacts from source within > our infrastructure and create completely trusted binaries with SLSA and > SBOM info and more and provide these binaries and supplementary files to > our customers. Because Maven (JAR and others) builds are often not > reproducible in terms of leading to exact same checksums (unless a > project set it up to wipe timestamps and such) our binaries do have > different checksums from the ones supplied via Maven Central. I wouldn't expect checksums to match in a scenario like that. A different entity is rebuilding the project with a potentially different compiler, JDK, and chain of trust. I maybe don't want those checksums to match. > At the moment even reproducible builds are not necessarily reproducible > when it comes to shading classes into other jars and the exact > dependencies being used when creating tarballs or whatever with JARs > inside with the assembly plugin for example. Again, I think that's working as intended. Shading changes the binary code that's running. It shouldn't have the same checksum. -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
