garydgregory commented on PR #427: URL: https://github.com/apache/commons-codec/pull/427#issuecomment-4150246886
Hi @ppkarwasz > Maven and JDK are already unpacked on your build machine, so it's not possible to get a classical hash of their distribution, but it is possible to make a “gitTree” hash, which is also among the [digests allowed in SLSA](https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md#fields). Do you plan on computing a hash of a Maven install folder? Does that mean anything without accounting for files in a user's home `.m2` folder like `settings-security.xml`, `settings.xml`, and `toolchains.xml`? What about the local `.m2/repository/` cache? Anything can be in there in the sense that I can override existing JARs with local builds or manual installs. Will the projects attestation say a project was built with a list of plugins, those plugin hashes and all the hashes of their plugins and non-plugin dependencies? I'm trying to grasp what it is we are capturing and the value. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
