[jira] [Commented] (TIKA-4590) Implement Reproducible Builds for Apache Tika

Sun, 04 Jan 2026 01:32:11 -0800 


    [ 
https://issues.apache.org/jira/browse/TIKA-4590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18048938#comment-18048938
 ] 

Hervé Boutemy commented on TIKA-4590:
-------------------------------------

small improvement proposal for the issue description:
> The Apache Software Foundation Security team requires reproducible builds to 
> ensure build integrity and security.

I propose to change to
"The Apache Software Foundation Security team requires reproducible builds to 
ensure *release* integrity and security."

and also "this is a prerequisite to release signing from CI"

> Implement Reproducible Builds for Apache Tika
> ---------------------------------------------
>
>                 Key: TIKA-4590
>                 URL: https://issues.apache.org/jira/browse/TIKA-4590
>             Project: Tika
>          Issue Type: Task
>            Reporter: Nicholas DiPiazza
>            Priority: Major
>              Labels: build, reproducible-builds, security
>
> h2. Problem
> Apache Tika builds are currently not reproducible. The Apache Software 
> Foundation Security team requires reproducible builds to ensure build 
> integrity and security.
> h2. Background
> Reproducible builds allow anyone to verify that the published binaries were 
> built from the exact source code without any modifications. This is critical 
> for security and supply chain integrity.
> h2. Requirements
> * Builds must produce bit-for-bit identical outputs when built from the same 
> source code
> * Build timestamps and other non-deterministic elements must be normalized
> * Build environment variations should not affect output
> * Verification documentation should be provided
> h2. Expected Outcome
> * Maven builds configured for reproducibility
> * All artifacts (JARs, source archives) are reproducible
> * Build process documented with verification steps
> * Integration with Apache release process
> h2. References
> * Apache Software Foundation Security requirements
> * [Reproducible Builds Project|https://reproducible-builds.org/]
> * [Maven Reproducible Builds 
> Guide|https://maven.apache.org/guides/mini/guide-reproducible-builds.html]
> h2. Acceptance Criteria
> # Configure maven-artifact-plugin with buildinfo generation
> # Set project.build.outputTimestamp property
> # Verify builds are reproducible across different environments
> # Document the verification process
> # Update release documentation



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to