[tor-dev] Trip Report: Reproducible Builds Summit

Hans-Christoph Steiner hans at guardianproject.info
Mon Dec 9 14:27:41 UTC 2019


I was at the 5th Reproducible Builds Summit this past week, representing
mostly Android topics.  I attended the first two, so it was nice to see
that there has been some real progress in the past few years of work.
My main focus was working with an Apache/Maven developer on implementing
the "buildinfo" spec for publishing reproducible Java JAR builds to
Maven Central and other Maven repositories.  Maven repositories are
central to the whole Android and Java ecosystems as the primary means of
getting libraries.  We used the jtorctl library to prototype how this
system will look when using the Maven, Gradle, and Bazel buildsystems.

Given the results of our brief work, we should have something working
and deployed this year.  And there is already a Maven plugin for
publishing the "buildinfo" files.  So it should be easy to start getting
libraries to publish these to Maven Central and other Maven
repositories.  Then the Apache/Maven Developer plans to push Apache
Software Foundation to require reproducible builds for all its official
Java releases.

If you want to help with this effort, you can start publishing buildinfo
files with your library, or try rebuilding libraries based on published
buildinfo files to test whether there is enough information to reproduce
the builds.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556


More information about the tor-dev mailing list