Hi Marvin, thanks for reaching out to us reproducible-builds.org folks!
On Mon, Jan 21, 2019 at 03:10:44PM -0800, Marvin Humphrey wrote: > Over on the legal-discuss list at the Apache Software Foundation, we are > currently discussing reproducible builds. > > https://markmail.org/message/k7ldwepd3ph2qxsp yup, David Wheeler also has pointed us to that thread. Exciting! > If anyone would like to participate in the discussion, you can subscribe > by sending an email to: legal-discuss-subscr...@apache.org I fear I cannot commit to yet another mailinglist. But please do feel free to cc: me on any mail on this topic you find relevant! > The history of binary packages at the ASF is long and fraught. The > Foundation only officially endorses pure source code packages; what is > being considered is whether the ASF should give its official imprimatur > to binary releases and whether such binary release packages should be > required to be the result of a reproducible build. > > For a while now, I've been contemplating what a patch to the ASF's > Release Policy[1] requiring reproducibility ought to look like. In some > ways it would be nice if you folks could serve as a steward for the > definition of "reproducible build", similar to how the Open Source > Initiative maintains the Open Source Definition[2], so that an external > policy document could reference it. Thanks. A lot! :) > You currently have a definitions page[3] which is nice and easy to > understand. A couple of comments: thanks! also for the comments! > 1. The current definition would be a bit awkward to reference in an > official document or policy because it is not either frozen or > versioned. excellent idea, I've recorded it at https://salsa.debian.org/reproducible-builds/reproducible-website/issues/5 > 2. Hoovering up the build environment into a Docker container or > similar might be enough to produce "reproducible" results, but > without provenance information for the "relevant attributes of the > build environment", the benefits are diminished. ("Does the all-new > opaque build environment for release X.Y.Z contain a trojan?") > Assuming that keeping the generality of the official definition is > important to you, can you suggest any options for downstream > "authors or distributors" to tighten that up? not really. I believe https://bugs.debian.org/844431 has some more thoughts on this issue though. -- tschüß, Holger ------------------------------------------------------------------------------- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
signature.asc
Description: PGP signature
_______________________________________________ rb-general@lists.reproducible-builds.org mailing list To change your subscription options, visit https://lists.reproducible-builds.org/listinfo/rb-general. To unsubscribe, send an email to rb-general-unsubscr...@lists.reproducible-builds.org.
