Hi all, In the maven project there is currently a great initiative to update the core maven pluggins to allow creating of reproducible builds.
In theory using a given source package and running it with the same timestamp it should produce binary identical output. I think this would be a great measure to increase trust. Right now theoretically nobody is able to check when voting on a release, if the staged maven binaries were rely built from the identical source. With reproducible builds we could add another level of verification to our release process. Ideally the step of comparing the built artifacts with the ones staged in nexus. However this should probably be automated though ;-) What do you generally think? A path worth walking? Chris Holen Sie sich Outlook für Android<https://aka.ms/ghei36>
