On 27/06/16 20:06, Alan Pevec wrote: > On Sat, Jun 25, 2016 at 5:28 AM, Nico Kadel-Garcia <nkadel at gmail.com> wrote: >>> What would this reproduceable builds chain look like if we were to start >>> looking at Maven/MEAD ? Also, how would we verify the content that goes >>> through ? >> >> It's inherently unpredictable. > > Unpredictable are pure Maven builds outside MEAD/Koji, MEAD enables > reproducible builds by restricting access to the internal Maven > repositories only. > It is up to SIG policy how it will bootstrap this internal repo, if we > do it all using koji maven-build from sources and do not import binary > JARs, we'll have everything rebuildable from sources. > Hard part is to resolve dependency chains and then build it in the right order. > Maybe this boils down to the question: how can someone rebuild a package OUTSIDE MEAD/Koji. If we make sure, this is documented and reproducible, would it be acceptable then? Matthias