[rb-general] Reproducing sbt-reproducible-builds

Arnout Engelen arnout at bzzt.net
Sun Dec 23 14:01:47 CET 2018

On Sun, Dec 23, 2018 at 1:48 PM Hervé Boutemy <hboutemy at apache.org> wrote:
> now I get the same hash: good news


> then I could publish somewhere that I was able to reproduce this sbt-
> reproducible-builds-0.19.jar file
> how?

I think the most sensible way to achieve this is to share (and sign)
your own buildinfo.

> append my own signature to sbt-reproducible-builds.jar.asc?
> in your original repository or in a separate repository that would be append
> only on such .asc files?

I think it would make sense to simply upload your own uniquely-named
buildinfo and accompanying signature to a separate
"certification/attestation repository", to which anyone can upload
(append only) additional buildinfo's and signatures.

Kind regards,


More information about the rb-general mailing list