You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@plc4x.apache.org by "Christofer Dutz (Jira)" <ji...@apache.org> on 2019/10/30 09:29:00 UTC

[jira] [Created] (PLC4X-148) Update the build to allow reproducible builds

Christofer Dutz created PLC4X-148:
-------------------------------------

             Summary: Update the build to allow reproducible builds
                 Key: PLC4X-148
                 URL: https://issues.apache.org/jira/browse/PLC4X-148
             Project: Apache PLC4X
          Issue Type: New Feature
    Affects Versions: 0.5.0
            Reporter: Christofer Dutz
            Assignee: Christofer Dutz
             Fix For: 0.6.0


The maven team are currently releasing new versions of maven plugins which would allow to create reproducible builds. 

This would have a huge benefit as when releasing binary artifacts both the PMC as well as users don't have the means to verify the binaries were actually build form exactly the sources they are voting on.

With reproducible builds it would be possible to add one step of verification to the release verification where the locally built artifacts are checked for binary equality with the staged artifacts.

Also users could possibly buld the source release and compare those results with the artifacts in their companies repos hereby adding another level of certainty.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)