Thanks a lot for your help.
I referenced your reply in the Jira issue and they will probably let us know
what is and isn’t possible.
https://issues.apache.org/jira/projects/INFRA/issues/INFRA-25610?filter=reportedbyme
Best regards,
Bertil
> On 21 Mar 2024, at 14:34, Arnout Engelen wrote:
>
Hello Bertil,
Thanks for the update! That sounds good from my side - I'm not sure I've
seen other projects also do the upload to dist.apache.org from CI, Infra
might have more background on whether/how to best achieve that.
Kind regards,
Arnout
On Wed, Mar 20, 2024 at 10:56 PM Bertil Chapuis
Hello Arnout,
The workflow and the instructions have now been updated and they ensure that
our builds are bit-by-bit reproducible. Building the release on linux or on a
mac from the release tag with OpenJDK 17 and maven wrapper produces the same
tar.gz files as the one produced by the GitHub Ac
Hi Arnout,
Thanks a lot for your answer. The old process is documented and the new one has
not yet been finalised. That being said, I haven’t checked if it is bit-by-bit
reproducible. I will try to see what it means in our case and come back to you
once we have more information.
Best regards,
Hi Bertil, baremaps PPMC,
Thanks for checking! That sounds pretty good already.
Part of the challenge in releasing from CI is that CI systems are
notoriously hard to secure, and an undetected supply-chain attack
could lead to publishing artifacts with injected malware. For that
reason I'm sure yo
