[GitHub] [maven-apache-parent] kwin commented on pull request #35: MPOM-261 create buildinfo file for reproducible builds

[GitBox]

kwin commented on pull request #35:
URL: 
https://github.com/apache/maven-apache-parent/pull/35#issuecomment-783170906


   @hboutemy Thanks for the answers. I understand that it is too early right 
now for buildinfo to be published (due to the format not finalized) to Maven 
Central. Are you also implying that the buildinfo is not necessary even in the 
long-term for Maven based projects as the relevant information can be derived 
from pom.xml and MANIFEST.MF or do you agree that the buildinfo in the long 
term should be published along with the artifacts?
   For me the primary goal is to verify that the build artifacts 
published/downloaded from Central are really based on a specific source. For 
that the buildinfo is crucial as otherwise you have to rely on heuristics 
(https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318#Reproducible/VerifiableBuilds-Rebuilding).



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [maven-apache-parent] kwin commented on pull request #35: MPOM-261 create buildinfo file for reproducible builds

[GitBox]

kwin commented on pull request #35:
URL: 
https://github.com/apache/maven-apache-parent/pull/35#issuecomment-782898519


   @hboutemy Don't you think that buildinfo files should be available by 
default from Maven Central?
   Which parts of Maven Central currently has buildinfo being generated? I only 
see 288 releases



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org