Hi Jarek, On Sun, 14 Jan 2024 at 20:06, Jarek Potiuk <[email protected]> wrote: > I just wanted to share a little accomplishment I (mostly) implemented in > Airflow - I just merged the last PR to get fully reproducible builds for > all thePython artifacts we produce and publish in downloads.apache.org > (python whl, sdist packages, source tarballs). > > All our 90 or so artifacts are now fully reproducible and we check > reproducibility of them as a mandatory step of PMC verification when voting > the releases. Initially I thought it's not THAT needed for us in the Python > world, but I got the "let's be reproducible" bug implanted at the > "reproducible builds" talk at the ApacheCon in Halifax by Hervé Boutemy and > it stuck - until I got it completed.
Congratulations! If the builds are reproducible and PMCs are required to check it, what do you think about proving reproducibility to the outer world by asking PMCs to cosign the published artifacts? This additional step would certainly require some changes in the tools we use to publish artifacts. For example in the Nexus repo it is impossible (AFAIK) to modify the signatures after the staging repo has been closed. I have opened an INFRA ticket to see if that can be changed: https://issues.apache.org/jira/browse/INFRA-25381 Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
