...
- As a user of artifacts published on repositories like Maven Central, I want to be able to check that the binary version of the artifact matches its source version. On a software QA point of view, this would allow to detect quality problems in the build/publish process. On a computer security point of view, this would allow to detect the introduction of a backdoor during the build/publish process.
- As a developer voting on an Apache source release against a staging repository, I want to verify that the binary I'm getting locally from sources is the same as the binary that is staged
Sources of unreproducible bits
...