You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@community.apache.org by Hervé BOUTEMY <he...@free.fr> on 2019/01/25 22:54:33 UTC
[RB] Working on Reproducible Builds for ASF projects
Hi,
As discussed in "Binary channels" thread on legal-discuss [1], Reproducible
Builds [2] is something that should be very interesting to improve management
of convenience binaries at ASF.
Reproducible Builds started with but is not limited to Linux distributions: in
ASF, interesting case would be language-specific distributions like Maven
Central, PyPI, npmjs, or even Dockerhub.
Some work has started at Reproducible Builds on the JVM [3]. That should
happen also for other "languages".
Are there Apache projects interested in working together to share experience
and improvements?
Regards,
Hervé
[1] http://mail-archives.apache.org/mod_mbox/www-legal-discuss/
[2] https://reproducible-builds.org/
[3] https://reproducible-builds.org/docs/jvm/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re : Re: [RB] Working on Reproducible Builds for ASF projects
Posted by he...@free.fr.
Hi Joan,
Glad to see people interested in working on technical side before trying to eventually rework the legal aspects.
I don’t know precisely how we can help each other: it’s really up to everybody to define details.
When I read the case of CouchDB, IMHO, in addition to the language, there is an additionnal question: are binaries published by the project to another location than Apache dist?where?
Perhaps we could create a Wiki page listing for each project what that they do, so that others can see who has the same technical bits than himself.
I have personally one big question: when archives are made reproducible (be it zip or tar), how do you choose the timestamp value?
In Linux distributions, since the build is done independently from the upstream release, they can choose the value to put into EPOCH. But when the upstream project does his release, how is defined the timestamp value?
Regards,
Hervé
----- Mail d'origine -----
De: Joan Touzet <wo...@apache.org>
À: dev@community.apache.org
Envoyé: Sat, 26 Jan 2019 22:27:16 +0100 (CET)
Objet: Re: [RB] Working on Reproducible Builds for ASF projects
Hi Hervé,
Apache CouchDB is very interested in this - and have made significant
strides towards reproducible builds already, including our Dockerhub
image build process.
However, because of our very complex build environment and toolchains,
especially on Windows, we're not a "slam dunk" like a pure-Java project
would be. Our project involves at least 5 programming languages
(Erlang, Elixir, Python, JavaScript, C/C++) with 3 runtime environments.
How would you like to work together on this? (FYI I'm out of spoons[1]
to delve into the legal-discuss thread, but I'm very glad to see the
thread is out there, as well as people like David Nalley speaking what
I've been saying for years, mostly to deaf ears.
-Joan
[1]: https://en.wikipedia.org/wiki/Spoon_theory
----- Original Message -----
> From: "Hervé BOUTEMY" <he...@free.fr>
> To: dev@community.apache.org
> Sent: Friday, 25 January, 2019 5:54:33 PM
> Subject: [RB] Working on Reproducible Builds for ASF projects
>
> Hi,
>
> As discussed in "Binary channels" thread on legal-discuss [1],
> Reproducible
> Builds [2] is something that should be very interesting to improve
> management
> of convenience binaries at ASF.
>
> Reproducible Builds started with but is not limited to Linux
> distributions: in
> ASF, interesting case would be language-specific distributions like
> Maven
> Central, PyPI, npmjs, or even Dockerhub.
>
> Some work has started at Reproducible Builds on the JVM [3]. That
> should
> happen also for other "languages".
>
> Are there Apache projects interested in working together to share
> experience
> and improvements?
>
> Regards,
>
> Hervé
>
> [1] http://mail-archives.apache.org/mod_mbox/www-legal-discuss/
>
> [2] https://reproducible-builds.org/
>
> [3] https://reproducible-builds.org/docs/jvm/
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: [RB] Working on Reproducible Builds for ASF projects
Posted by Joan Touzet <wo...@apache.org>.
Hi Hervé,
Apache CouchDB is very interested in this - and have made significant
strides towards reproducible builds already, including our Dockerhub
image build process.
However, because of our very complex build environment and toolchains,
especially on Windows, we're not a "slam dunk" like a pure-Java project
would be. Our project involves at least 5 programming languages
(Erlang, Elixir, Python, JavaScript, C/C++) with 3 runtime environments.
How would you like to work together on this? (FYI I'm out of spoons[1]
to delve into the legal-discuss thread, but I'm very glad to see the
thread is out there, as well as people like David Nalley speaking what
I've been saying for years, mostly to deaf ears.
-Joan
[1]: https://en.wikipedia.org/wiki/Spoon_theory
----- Original Message -----
> From: "Hervé BOUTEMY" <he...@free.fr>
> To: dev@community.apache.org
> Sent: Friday, 25 January, 2019 5:54:33 PM
> Subject: [RB] Working on Reproducible Builds for ASF projects
>
> Hi,
>
> As discussed in "Binary channels" thread on legal-discuss [1],
> Reproducible
> Builds [2] is something that should be very interesting to improve
> management
> of convenience binaries at ASF.
>
> Reproducible Builds started with but is not limited to Linux
> distributions: in
> ASF, interesting case would be language-specific distributions like
> Maven
> Central, PyPI, npmjs, or even Dockerhub.
>
> Some work has started at Reproducible Builds on the JVM [3]. That
> should
> happen also for other "languages".
>
> Are there Apache projects interested in working together to share
> experience
> and improvements?
>
> Regards,
>
> Hervé
>
> [1] http://mail-archives.apache.org/mod_mbox/www-legal-discuss/
>
> [2] https://reproducible-builds.org/
>
> [3] https://reproducible-builds.org/docs/jvm/
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org