incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Myrle Krantz <my...@apache.org>
Subject Re: How to review so-called "binary releases"?
Date Wed, 14 Nov 2018 16:19:35 GMT
On Wed, Nov 14, 2018 at 1:12 PM Daniel Shahaf <d.s@daniel.shahaf.name>
wrote:

> The answer to (1) depends on the build platform and toolchain.
> Reproducible builds [in the sense of "building the same source twice
> gives bit-for-bit identical binaries"] can help with it.  When the
> answer is negative, the next question is whether those unauditable
> artifacts should be carried by ASF mirrors alongside the source
> artifacts.
>

So if a project puts in the effort to
a.) make their build reproducible (which can actually be very difficult to
do), and
b.) do a bit-for bid compare on a release across at least two build
artifacts, created by different people on different machines...

...would we be willing to see that threat as sufficiently eliminated for
our purposes?  Would we then be willing to "officially" release binaries?

Best Regards,
Myrle

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message