[jira] [Comment Edited] (TIKA-4590) Implement Reproducible Builds for Apache Tika

Sat, 07 Feb 2026 09:03:07 -0800 


    [ 
https://issues.apache.org/jira/browse/TIKA-4590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18057073#comment-18057073
 ] 

Hervé Boutemy edited comment on TIKA-4590 at 2/7/26 5:02 PM:
-------------------------------------------------------------

with TIKA-4470 done, everything should be fine: 
https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/tika/README.md

small doc added in TIKA-4648 is fine

 

to me, the next question is: do you want/need to check also the Docker image?


was (Author: hboutemy):
with TIKA-4470 done, everything should be fine: 

small doc added in TIKA-4648 is fine

 

to me, the next question is: do you want/need to check also the Docker image?

> Implement Reproducible Builds for Apache Tika
> ---------------------------------------------
>
>                 Key: TIKA-4590
>                 URL: https://issues.apache.org/jira/browse/TIKA-4590
>             Project: Tika
>          Issue Type: Task
>            Reporter: Nicholas DiPiazza
>            Priority: Major
>              Labels: build, reproducible-builds, security
>
> h2. Problem
> Apache Tika builds are currently not reproducible. The Apache Software 
> Foundation Security team requires reproducible builds to ensure build 
> integrity and security.
> h2. Background
> Reproducible builds allow anyone to verify that the published binaries were 
> built from the exact source code without any modifications. This is critical 
> for security and supply chain integrity.
> h2. Requirements
> * Builds must produce bit-for-bit identical outputs when built from the same 
> source code
> * Build timestamps and other non-deterministic elements must be normalized
> * Build environment variations should not affect output
> * Verification documentation should be provided
> h2. Expected Outcome
> * Maven builds configured for reproducibility
> * All artifacts (JARs, source archives) are reproducible
> * Build process documented with verification steps
> * Integration with Apache release process
> h2. References
> * Apache Software Foundation Security requirements
> * [Reproducible Builds Project|https://reproducible-builds.org/]
> * [Maven Reproducible Builds 
> Guide|https://maven.apache.org/guides/mini/guide-reproducible-builds.html]
> h2. Acceptance Criteria
> # Configure maven-artifact-plugin with buildinfo generation
> # Set project.build.outputTimestamp property
> # Verify builds are reproducible across different environments
> # Document the verification process
> # Update release documentation



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to