Hi Neil, On 18.03.2026 15:29, Neil C Smith wrote: > I wanted to ask how the NetBeans project might be able to access > Windows and macOS code signing via GitHub Actions, if reproducible > builds are not an option?
Personally I understand the rationale behind requiring releases to be either reproducible or built on committer-owned hardware. However, I think that with the current state of the art, we have reached something of a paradox. At present, we tend to prefer releases built on committer-owned machines over those produced by GitHub Actions, even though: - GitHub Actions builds run in clean, ephemeral environments (Docker images), - while committer-owned machines may contain residual artifacts from previous builds and dirty cached dependencies. >From this perspective, CI-based builds can in practice offer a more controlled and reproducible environment than local builds. In the case of NetBeans, I believe one way to address the trust concerns would be to generate SLSA build attestations as part of the CI process. The Release Manager could then verify these attestations prior to initiating a release vote. The SLSA specification already defines a verification procedure for this purpose: https://slsa.dev/spec/v1.2/verifying-artifacts Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
