Myrle Krantz wrote on Wed, Nov 14, 2018 at 17:19:35 +0100: > On Wed, Nov 14, 2018 at 1:12 PM Daniel Shahaf <d...@daniel.shahaf.name> > wrote: > > > The answer to (1) depends on the build platform and toolchain. > > Reproducible builds [in the sense of "building the same source twice > > gives bit-for-bit identical binaries"] can help with it. When the > > answer is negative, the next question is whether those unauditable > > artifacts should be carried by ASF mirrors alongside the source > > artifacts. > > > > So if a project puts in the effort to > a.) make their build reproducible (which can actually be very difficult to > do), and > b.) do a bit-for bid compare on a release across at least two build > artifacts, created by different people on different machines... > > ...would we be willing to see that threat as sufficiently eliminated for > our purposes? Would we then be willing to "officially" release binaries?
I would say yes. I would further note that this is a *sufficient* condition, not a necessary one. Often, binaries are _nearly_ reproducible but not _bit for bit_ reproducible — for example, they might contain a date in the RM's timezone, or the RM's uname(1) output, etc. Such differences are auditable, and it would be reasonable for a PMC member to compare the proposed binary artifact to one he built locally, see that the differences are acceptable, and vote +1 on the binary artifact — just like we do for source artifacts (when we compare tarballs to tags). Cheers, Daniel --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
