On 27/06/16 20:06, Alan Pevec wrote:
On Sat, Jun 25, 2016 at 5:28 AM, Nico Kadel-Garcia nkadel@gmail.com wrote:
What would this reproduceable builds chain look like if we were to start looking at Maven/MEAD ? Also, how would we verify the content that goes through ?
It's inherently unpredictable.
Unpredictable are pure Maven builds outside MEAD/Koji, MEAD enables reproducible builds by restricting access to the internal Maven repositories only. It is up to SIG policy how it will bootstrap this internal repo, if we do it all using koji maven-build from sources and do not import binary JARs, we'll have everything rebuildable from sources. Hard part is to resolve dependency chains and then build it in the right order.
Maybe this boils down to the question: how can someone rebuild a package OUTSIDE MEAD/Koji.
If we make sure, this is documented and reproducible, would it be acceptable then?
Matthias