On Sat, Jun 25, 2016 at 5:28 AM, Nico Kadel-Garcia nkadel@gmail.com wrote:
What would this reproduceable builds chain look like if we were to start looking at Maven/MEAD ? Also, how would we verify the content that goes through ?
It's inherently unpredictable.
Unpredictable are pure Maven builds outside MEAD/Koji, MEAD enables reproducible builds by restricting access to the internal Maven repositories only. It is up to SIG policy how it will bootstrap this internal repo, if we do it all using koji maven-build from sources and do not import binary JARs, we'll have everything rebuildable from sources. Hard part is to resolve dependency chains and then build it in the right order.
Cheers, Alan