maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hervé Boutemy (JIRA) <j...@apache.org>
Subject [jira] [Comment Edited] (MSHARED-661) Make "Built-By", "Built-Jdk" and "Created-By" Manifest entries optional for reproducible builds
Date Sun, 08 Oct 2017 13:14:00 GMT

    [ https://issues.apache.org/jira/browse/MSHARED-661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16196106#comment-16196106
] 

Hervé Boutemy edited comment on MSHARED-661 at 10/8/17 1:13 PM:
----------------------------------------------------------------

from the beginning, I like these manifest entries since they give you info on some key facts
on how the binary was done: I like traceability

with Reproducible/Verifiable Builds https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318
, the general logic completely change with IMHO a more accurate/ambitious strategy: it's not
just about traceability, but verifiability

when you have verifiable builds, traceability of such details are not useful

we don't have verifiable builds yet: that's why simply removing traceability is for me a little
bit too early
but adding an option to drop some traceability when you're working on verifiability, when
traceability is causing issues to verifiability, is an approach I find consistent, isn't it?


was (Author: hboutemy):
from the beginning, I like these manifest entries since they give you info on some key facts
the binary was done: I like traceability

with Reproducible/Verifiable Builds https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318
, the general logic completely change with IMHO a more accurate strategy: it's not just about
traceability, but verifiability

when you have verifiable builds, traceability of such details are not useful

we don't have verifiable builds yet: that's why simply removing traceability is for me a little
bit too early
but adding an option to drop some traceability when you're working on verifiability, when
traceability is causing issues to verifiability, is an approach I find consistent, isn't it?

> Make "Built-By", "Built-Jdk" and "Created-By" Manifest entries optional for reproducible
builds
> -----------------------------------------------------------------------------------------------
>
>                 Key: MSHARED-661
>                 URL: https://issues.apache.org/jira/browse/MSHARED-661
>             Project: Maven Shared Components
>          Issue Type: New Feature
>          Components: maven-archiver
>            Reporter: Zlika
>            Priority: Minor
>
> Maven-archiver automatically creates "Built-By", "Build-Jdk" and "Created-By" Manifest
entries. In the frame of a reproducible build (cf. MNG-6276) these entries make the build
not reproducible.
> Maven-archiver should propose an option to disable the creation of these non-reproducible
manifest entries.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message