Hi Emmanuel, On 5.05.2026 11:57, Emmanuel Bourg wrote: > This all looks quite burdensome. Isn't provenance attestation irrelevant > if our builds are reproducible anyway?
Provenance and reproducibility cover overlapping, but similar problems: - A reproducible build can still be malicious or come from an unauthorized source. - A build can of course be not reproducible, in which case we need to trust the builder. In our case the SPDX artifact is not reproducible. In the attestation produced by `build-attestation` I tried to capture the information that we see in each vote e-mail, so they could constitute a machine-readable version of the e-mail. The information contained also helps reproducing the artifacts, by capturing the environment characteristics (such as JDK version, time-zone and Maven version) that we know can influence the build. The usage of the goal should be transparent to release managers and almost transparent to voters (the signed artifact will of course be non-reproducible). Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
