File tree Expand file tree Collapse file tree 1 file changed +9
-5
lines changed Expand file tree Collapse file tree 1 file changed +9
-5
lines changed Original file line number Diff line number Diff line change @@ -163,9 +163,14 @@ Note: GPG signatures are verified **only** against the project's `KEYS` file.
163163
164164# Reproducible builds
165165
166- A build is reproducible if the built artifacts are identical on every build from the same source.
166+ A build is reproducible if the built artifacts are identical for every build on every machine from the same source.
167167
168- The Apache Polaris build is currently mostly reproducible, with some release-version specific exceptions.
168+ The Apache Polaris build is currently _ mostly_ reproducible, with some release-version specific exceptions.
169+
170+ References:
171+ * [ reproducible-builds.org] ( https://reproducible-builds.org/ )
172+ * [ Reproducible builds at the ASF] ( https://cwiki.apache.org/confluence/display/SECURITY/Reproducible+Builds )
173+ * [ Polaris tracking issue] ( https://github.com/apache/polaris/issues/2204 )
169174
170175## Exceptions for all Apache Polaris versions
171176
@@ -179,6 +184,5 @@ Pending on full support for reproducible builds in Quarkus:
179184 * server/app/polaris-server-* .jar
180185* Zips and tarballs containing any of the above are not guaranteed to be reproducible.
181186
182- Helm chart package tarball is not binary reproducible because there is no option to influence the
183- mtime and POSIX attributes of the archive entries.
184- The actual content of the archive entries is reproducible.
187+ Helm packages are not binary reproducible yet.
188+ See helm-package notes on [ this page] ( https://cwiki.apache.org/confluence/display/SECURITY/Reproducible+Builds ) .
You can’t perform that action at this time.
0 commit comments