nddipiazza commented on PR #1: URL: https://github.com/apache/tika-grpc-docker/pull/1#issuecomment-3693285734
## 🔒 Added Reproducible Builds Documentation Added a comprehensive section on **Reproducible Builds** to the README, documenting how tika-grpc-docker ensures transparency and security in the software supply chain. ### What's Documented **For Official Releases:** - GPG signature verification process - Multi-stage build separation - Declarative dependency management **For Development Builds:** - Git-based source control and traceability - Version pinning for reproducibility - Build transparency **Verification Instructions:** - How to verify GPG signatures in release builds - How to trace development builds to exact Git commits ### Why This Matters Reproducible builds are critical for: - **Security audits** - Verify binaries match audited source - **Supply chain security** - Detect tampering or backdoors - **Compliance** - Meet security requirements for regulated industries - **Trust** - Anyone can independently verify the build This aligns with Apache best practices and modern security standards. 🔐 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
