On 5/22/08, Chris Helck <[EMAIL PROTECTED]> wrote: > Rich, > It's very common for corperations to implement this sort of thing. It > helps ensure that the products can be rebuilt from the source code, and > that helps certain audit/security processes. In any case, this is what > my company does, and they pay me every two weeks. > > I do what you suggest for internal and informal releases of test tools > and report generators.
>From my experience, the reproduceability problems can happen from various factors, but most of them will be detected by using a build server. Some will still go throught: e.g. that can easily happen with maven 2.0.x when using non versionned plugins in the POMs. Happened to me again today: http://jira.codehaus.org/browse/MNG-3594 If you really want to double check things, you should do it in a different manner, and compare the results. That's what back up systems do for critical systems. But that is very costly. It is certainly possible to have one build server monitoring the CSM and another trying to reproduce the builds e.g. from information found in the released POMs and artifacts. That's a lot of trouble for not much gain to my point of view. Except if you work for the NASA :) One simple idea: use 2 build environments, one for your development team, one from your 'secure' team. Build all the time, and compare the produced artifacts (maybe using some sort of checksums). Make sure each artifact contains enough information (e.g. make it include the revision number the artifact was built from). Another idea: add a build server to rebuild your past tagged project. That's particularly useful for long lived branches. Always add a build triggered by time instead of just commits. Finally make sure that any tool used in the build, from the SDK to the zip tool, has a locked down version number, and a check that ensures potential problems are detected early. Make your build tool write those versions in the log. And keep your build logs. Jerome --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]