[rb-general] [jvm] introducing reproducible-central
Santiago Torres
santiago at nyu.edu
Thu Jan 17 16:46:02 CET 2019
Hi,
On Thu, Jan 17, 2019 at 10:04:01AM +0100, Hervé Boutemy wrote:
> Hi,
>
> After the work on jvm buildinfo [1], the discussion on rebuilder attestations
> showed that Maven central could be seen as some sort of Linux distribution: it
> has some specific aspects (multi-platform, multi-version for each project),
> but it shares the fact that someone must write a rebuild specification for
> everything to be able to automatically execute rebuilds, and these rebuilds
> will generate buildinfo.
I'm a little surprised that you dismissed in-toto for this specific
reason. in-toto is being used today to create platform-agnostic
supply-chain attestations for everything, from single files to whole
container images.
I'm not against re-inventing the wheel or having competing ideas, but it
seems to me that avoiding xkcd 927 would be a good idea.
Thanks,
-Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190117/c48e8414/attachment.sig>
More information about the rb-general
mailing list