incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Shahaf <>
Subject Re: How to review so-called "binary releases"?
Date Thu, 15 Nov 2018 03:38:25 GMT
Myrle Krantz wrote on Wed, Nov 14, 2018 at 17:19:35 +0100:
> On Wed, Nov 14, 2018 at 1:12 PM Daniel Shahaf <>
> wrote:
> > The answer to (1) depends on the build platform and toolchain.
> > Reproducible builds [in the sense of "building the same source twice
> > gives bit-for-bit identical binaries"] can help with it.  When the
> > answer is negative, the next question is whether those unauditable
> > artifacts should be carried by ASF mirrors alongside the source
> > artifacts.
> >
> So if a project puts in the effort to
> a.) make their build reproducible (which can actually be very difficult to
> do), and
> b.) do a bit-for bid compare on a release across at least two build
> artifacts, created by different people on different machines...
> ...would we be willing to see that threat as sufficiently eliminated for
> our purposes?  Would we then be willing to "officially" release binaries?

I would say yes.

I would further note that this is a *sufficient* condition, not a
necessary one.  Often, binaries are _nearly_ reproducible but not _bit
for bit_ reproducible — for example, they might contain a date in the
RM's timezone, or the RM's uname(1) output, etc.  Such differences are
auditable, and it would be reasonable for a PMC member to compare the
proposed binary artifact to one he built locally, see that the
differences are acceptable, and vote +1 on the binary artifact — just
like we do for source artifacts (when we compare tarballs to tags).



To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message