@ Chris: > We basically gave up on the idea of configuring our tooling to produce the same output on every Java Version, Operating-system and CPU architecture, we simply defined a reference platform in form of a Dockerfile and use docker-compose to “ship the reference build machine”.
Yep - we also do it for some parts of the build - especially in CI, where we want to run user's code coming from PR in an isolated environment. But in many cases we do not have to do it, as having just a fixed set of "Python" deps is enough - and modern tooling for Python installs such "isolated build environment" for regular builds, so this is happens pretty much behind-the-scenes. @ Piotr > If the builds are reproducible and PMCs are required to check it, what do you think about proving reproducibility to the outer world by asking PMCs to cosign the published artifacts? Why not. Main problem with multiple signatures was that it was difficult to confirm provenance of the binary to be signed - but if it is binary identical - why not. I think also the future "INFRA artifact platform" should allow such signing (especially when we will use sigstore). One comment: I updated https://cwiki.apache.org/confluence/display/SECURITY/Reproducible+Builds with some notes about umask (learning from Airflow's reproducibility) BTW. I am just about to merge a change where i also introduce reproducibility to preparing our Helm Chart packages. On Mon, Jan 15, 2024 at 8:29 AM Piotr P. Karwasz <[email protected]> wrote: > Hi Jarek, > > On Sun, 14 Jan 2024 at 20:06, Jarek Potiuk <[email protected]> wrote: > > I just wanted to share a little accomplishment I (mostly) implemented in > > Airflow - I just merged the last PR to get fully reproducible builds for > > all thePython artifacts we produce and publish in downloads.apache.org > > (python whl, sdist packages, source tarballs). > > > > All our 90 or so artifacts are now fully reproducible and we check > > reproducibility of them as a mandatory step of PMC verification when > voting > > the releases. Initially I thought it's not THAT needed for us in the > Python > > world, but I got the "let's be reproducible" bug implanted at the > > "reproducible builds" talk at the ApacheCon in Halifax by Hervé Boutemy > and > > it stuck - until I got it completed. > > Congratulations! > > If the builds are reproducible and PMCs are required to check it, what > do you think about proving reproducibility to the outer world by > asking PMCs to cosign the published artifacts? > > This additional step would certainly require some changes in the tools > we use to publish artifacts. For example in the Nexus repo it is > impossible (AFAIK) to modify the signatures after the staging repo has > been closed. I have opened an INFRA ticket to see if that can be > changed: > > https://issues.apache.org/jira/browse/INFRA-25381 > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: > [email protected] > >
