[rb-general] Reproducing sbt-reproducible-builds
arnout at bzzt.net
Sun Dec 23 14:01:47 CET 2018
On Sun, Dec 23, 2018 at 1:48 PM Hervé Boutemy <hboutemy at apache.org> wrote:
> now I get the same hash: good news
> then I could publish somewhere that I was able to reproduce this sbt-
> reproducible-builds-0.19.jar file
I think the most sensible way to achieve this is to share (and sign)
your own buildinfo.
> append my own signature to sbt-reproducible-builds.jar.asc?
> in your original repository or in a separate repository that would be append
> only on such .asc files?
I think it would make sense to simply upload your own uniquely-named
buildinfo and accompanying signature to a separate
"certification/attestation repository", to which anyone can upload
(append only) additional buildinfo's and signatures.
More information about the rb-general