[jira] [Comment Edited] (MSHARED-661) Make "Built-By", "Built-Jdk" and "Created-By" Manifest entries optional for reproducible builds

[JIRA]

    [ 
https://issues.apache.org/jira/browse/MSHARED-661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16196106#comment-16196106
 ] 

Hervé Boutemy edited comment on MSHARED-661 at 10/8/17 1:13 PM:
----------------------------------------------------------------

from the beginning, I like these manifest entries since they give you info on 
some key facts on how the binary was done: I like traceability

with Reproducible/Verifiable Builds 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318 , the 
general logic completely change with IMHO a more accurate/ambitious strategy: 
it's not just about traceability, but verifiability

when you have verifiable builds, traceability of such details are not useful

we don't have verifiable builds yet: that's why simply removing traceability is 
for me a little bit too early
but adding an option to drop some traceability when you're working on 
verifiability, when traceability is causing issues to verifiability, is an 
approach I find consistent, isn't it?


was (Author: hboutemy):
from the beginning, I like these manifest entries since they give you info on 
some key facts the binary was done: I like traceability

with Reproducible/Verifiable Builds 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318 , the 
general logic completely change with IMHO a more accurate strategy: it's not 
just about traceability, but verifiability

when you have verifiable builds, traceability of such details are not useful

we don't have verifiable builds yet: that's why simply removing traceability is 
for me a little bit too early
but adding an option to drop some traceability when you're working on 
verifiability, when traceability is causing issues to verifiability, is an 
approach I find consistent, isn't it?

> Make "Built-By", "Built-Jdk" and "Created-By" Manifest entries optional for 
> reproducible builds
> -----------------------------------------------------------------------------------------------
>
>                 Key: MSHARED-661
>                 URL: https://issues.apache.org/jira/browse/MSHARED-661
>             Project: Maven Shared Components
>          Issue Type: New Feature
>          Components: maven-archiver
>            Reporter: Zlika
>            Priority: Minor
>
> Maven-archiver automatically creates "Built-By", "Build-Jdk" and "Created-By" 
> Manifest entries. In the frame of a reproducible build (cf. MNG-6276) these 
> entries make the build not reproducible.
> Maven-archiver should propose an option to disable the creation of these 
> non-reproducible manifest entries.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)