...
ASF produces releases in the form of source materials. However "convenience" compiled versions may also be distributed https://www.apache.org/legal/release-policy.html#compiled-packages but as this becomes more common, along with container and other distributions, we need a better policy around builds, more infra to allow projects to do builds on ASF controlled infrastructure, etc. See for example
| Jira | ||||||
|---|---|---|---|---|---|---|
|
Related to this are dependencies. We do sometimes include these in source distributions but it becomes more of an issue when they're in builds, containers etc too. Figure out some dependency tracking stuff, such as SLSA (then we'd end up with formulas for builds as well as dependency tracking) https://slsa.dev/provenance/v0.2
...