Re: [DISCUSS] Release source and binary verification

2024-08-23 Thread Piotr Findeisen
Hi! Russel, Justin, JB, thanks for your comments! I started this thread because i believe that source and binary verification are very important verification steps we should be doing, especially in the light of supply chain attacks that we've witnessed (XZ). We should have processes in the Iceber

Re: [DISCUSS] Release source and binary verification

2024-08-21 Thread Jean-Baptiste Onofré
Hi Justin, Thanks for clarifying, I was not clear in my previous email (I tried to mean even gradle wrapper is *not* OK). We don't package any binary in the Iceberg source distribution though. Regards JB On Tue, Aug 20, 2024 at 11:55 PM Justin Mclean wrote: > > Hi, > > > I would add an additio

Re: [DISCUSS] Release source and binary verification

2024-08-21 Thread Justin Mclean
Hi, > Just to clarify that we're currently not adding the gradle wrapper in the > source distribution. We have some custom code > > for that exact reason that downloads the gradle wrapper if it's m

Re: [DISCUSS] Release source and binary verification

2024-08-21 Thread Eduard Tudenhöfner
> > It’s not OK to include the gradle wrapper in the source release. A source > release can't include any jars with compiled code in them. Just to clarify that we're currently not adding the gradle wrapper in the source distribution. We have some custom code

Re: [DISCUSS] Release source and binary verification

2024-08-20 Thread Justin Mclean
Hi, > I would add an additional check on the source distribution: the source > distribution should not contain any unexpected binary file (gradle > wrapper is OK, but other binary should be avoided). It’s not OK to include the gradle wrapper in the source release. A source release can't include

Re: [DISCUSS] Release source and binary verification

2024-08-20 Thread Jean-Baptiste Onofré
Hi Piotr It sounds reasonable to me. If you mean reproducible build (the build from the same source should create the same artifact), I submitted some changes a while ago, adding fixed file order, etc. We should be good (https://github.com/apache/iceberg/pull/8826). I would add an additional che

Re: [DISCUSS] Release source and binary verification

2024-08-20 Thread Russell Spitzer
I think these are reasonable to add, we probably should also verify there are no binaries of any kind in the release tarball. Sometimes builds accidentally leak these. On Tue, Aug 20, 2024 at 8:36 AM Piotr Findeisen wrote: > Hi All, > > Hi > > The release verification [1] includes testing releas

[DISCUSS] Release source and binary verification

2024-08-20 Thread Piotr Findeisen
Hi All, Hi The release verification [1] includes testing release source tarball builds and also testing the binaries with downstream projects. Does it also contain, should it contain or is it a conscious omission of: 1. verifying the source tarball is what it should be (source matches the git r