[rb-general] Reproducible Java builds with Maven
danielsh at apache.org
Fri Dec 7 09:16:04 CET 2018
Holger Levsen wrote on Wed, 05 Dec 2018 13:59 +0000:
> On Wed, Dec 05, 2018 at 02:49:24PM +0100, Arnout Engelen wrote:
> (and that's why I think one standard .buildinfo file format for all the
> linux distros, android apps, BSD and node/etc and whatnot will not work.)
> I think what we can, is a.) propose the contents of these fileformats
> and b.) some implementations.
> Maybe we can also agree on a certain number of fileformats, but I'm
> sure the day we agree on those, someone new comes around the corner
> and has good reasons to use yet another filefromat.
Given that the serialization formats are going to be different, and that
each file format will have ecosystem-specific fields, I think there will
be limited benefit to agreeing on specific data that must be represented
in the file format. It might be easier to agree on an API that each
buildinfo format must provide; for example:
"Reproduce this package"
"Cryptographically verify <this> untrusted binary artifact" (i.e.,
check whether there's a trust path from the public keys trusted by
the package manager to a random .deb or .rpm)
"Return the list of environmental settings (buildpath, username,
etc) that leak from the build environment to the resulting binary"
Maybe even agree on some execve()-based API (since I doubt we can all
agree on a single programming language, any more than we can all agree
on a single serialization format).
> Also, currently we don't even agree on a.) as Debian .buildinfo files include
> checksums of the binary packages build while Arch Linux .buildinfo files
> are included in their binary packages and thus cannot include checksums
> of themselves...
In terms of API, it sounds like the question here is what the process
for verifying an untrusted binary artifact should be (whether that
should be possible without extracting the artifact, for example).
More information about the rb-general