[rb-general] [jvm] introducing reproducible-central

Santiago Torres santiago at nyu.edu
Thu Jan 17 17:54:59 CET 2019


Sorry if my email came as a little crass. Some of my frustration with
bureaucracy at my university poured through into the words on that

Comments inline.

> I'm just trying to figure out how to rebuild Maven Central content in a way 
> that has a chance to get the same binary result, starting on a few simple 
> examples done by hand = a few projects, in all their past versions.
> Figuring out the command to run is one aspect.
> But I'm also trying to figure out which build environment I must use for each 
> version of each project: this is where it is tricky.

That's the argument that I'd like to make: in-toto supports environment
information out of the box (i.e., you can populate anything you want).
Verification uses a tolerant reader pattern, that provides a minimum set
if security properties (i.e., bit-by-bit correspondence between all
involved artifacts and pipeline step integrity). You can add more to it
by means of inspection commands (e.g., you can match the LICENSE
shipped in the package with one in the upstream repository). If you'd
like to add any arbitrary information into the "environment" field of an
attestation you can do so.

> If you think in-toto can help, don't hesitate to show how: I read the site and 
> could not see what I could get from it, be it at the current step (discovering 
> how to write the rebuild instructions for a human) or later when trying to 
> automate and extend

I can take a look at the repository again (I mostly just took a look at
the readme earlier). What I was considering is that in-toto can produce
snapshots of the execution in the maven lifecycle (maybe as means as a

I also understand that the plan later down the line is to share
attestations of these builds. I'm imagining that building a mvn plugin
shouldn't be hard (in the same way that a Jenkins plugin was built) to
output an attestation with all the information needed to bootstrap a
reproducible environment (and the added benefit of it being signed.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190117/ebf89ef1/attachment.sig>

More information about the rb-general mailing list