Greetings, Over on the legal-discuss list at the Apache Software Foundation, we are currently discussing reproducible builds.
https://markmail.org/message/k7ldwepd3ph2qxsp If anyone would like to participate in the discussion, you can subscribe by sending an email to: legal-discuss-subscr...@apache.org The history of binary packages at the ASF is long and fraught. The Foundation only officially endorses pure source code packages; what is being considered is whether the ASF should give its official imprimatur to binary releases and whether such binary release packages should be required to be the result of a reproducible build. For a while now, I've been contemplating what a patch to the ASF's Release Policy[1] requiring reproducibility ought to look like. In some ways it would be nice if you folks could serve as a steward for the definition of "reproducible build", similar to how the Open Source Initiative maintains the Open Source Definition[2], so that an external policy document could reference it. You currently have a definitions page[3] which is nice and easy to understand. A couple of comments: 1. The current definition would be a bit awkward to reference in an official document or policy because it is not either frozen or versioned. 2. Hoovering up the build environment into a Docker container or similar might be enough to produce "reproducible" results, but without provenance information for the "relevant attributes of the build environment", the benefits are diminished. ("Does the all-new opaque build environment for release X.Y.Z contain a trojan?") Assuming that keeping the generality of the official definition is important to you, can you suggest any options for downstream "authors or distributors" to tighten that up? Marvin Humphrey [1] https://apache.org/legal/release-policy [2] https://opensource.org/osd [3] https://reproducible-builds.org/docs/definition _______________________________________________ rb-general@lists.reproducible-builds.org mailing list To change your subscription options, visit https://lists.reproducible-builds.org/listinfo/rb-general. To unsubscribe, send an email to rb-general-unsubscr...@lists.reproducible-builds.org.