raulcd commented on issue #47798: URL: https://github.com/apache/arrow/issues/47798#issuecomment-3397651362
From my current understanding we probably want to unify both Build and Build artifact tarball steps and validate them to be reproducible via reprotest: https://github.com/apache/arrow/blob/be6dddf228f73dafc34dafbe1343dc6a6680eb97/.github/workflows/package_linux.yml#L223-L228 and https://github.com/apache/arrow/blob/be6dddf228f73dafc34dafbe1343dc6a6680eb97/.github/workflows/package_linux.yml#L239-L267 My current investigation is to create a new `dev/release/utils-create-package-linux-tarball.sh` script that unifies both of those steps and tries to generate the tarball we upload. Afterwards we untar and we sign the artifacts individually but if we are able to produce reproducible content for this initial tarball should be enough to be able to sign using the automated GPG signature. @kou is this your understanding as well? Did you had anything in mind? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
