[rb-general] [jvm] introducing reproducible-central

Hervé Boutemy hboutemy at apache.org
Thu Jan 17 17:45:19 CET 2019


Hi,

It seems I was not clear on the intent: I'm not dismissing anything.

I'm just trying to figure out how to rebuild Maven Central content in a way 
that has a chance to get the same binary result, starting on a few simple 
examples done by hand = a few projects, in all their past versions.

Figuring out the command to run is one aspect.
But I'm also trying to figure out which build environment I must use for each 
version of each project: this is where it is tricky.

If you think in-toto can help, don't hesitate to show how: I read the site and 
could not see what I could get from it, be it at the current step (discovering 
how to write the rebuild instructions for a human) or later when trying to 
automate and extend

Regards,

Hervé

Le jeudi 17 janvier 2019, 16:46:02 CET Santiago Torres a écrit :
> Hi,
> 
> On Thu, Jan 17, 2019 at 10:04:01AM +0100, Hervé Boutemy wrote:
> > Hi,
> > 
> > After the work on jvm buildinfo [1], the discussion on rebuilder
> > attestations showed that Maven central could be seen as some sort of
> > Linux distribution: it has some specific aspects (multi-platform,
> > multi-version for each project), but it shares the fact that someone must
> > write a rebuild specification for everything to be able to automatically
> > execute rebuilds, and these rebuilds will generate buildinfo.
> 
> I'm a little surprised that you dismissed in-toto for this specific
> reason. in-toto is being used today to create platform-agnostic
> supply-chain attestations for everything, from single files to whole
> container images.
> 
> I'm not against re-inventing the wheel or having competing ideas, but it
> seems to me that avoiding xkcd 927 would be a good idea.
> 
> Thanks,
> -Santiago






More information about the rb-general mailing list