Child pages
  • Reproducible/Verifiable Builds

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. As a user of artifacts published on repositories like Maven Central, I want to be able to check that the binary version of the artifact matches its source version.
    On a software QA point of view, this would allow to detect quality problems in the build/publish process.
    On a computer security point of view, this would allow to detect the introduction of a backdoor during the build/publish process (instead of other solutions based on checking signatures like envisioned in JiraserverASF JIRAserverId5aa69414-a9e9-3523-82ec-879b028fb15bkeyMNG-6026).
  2. As a developer voting on an Apache source release against a staging repository, I want to verify that the binary from my local build from sources is the same as the binary that is staged and signed by the release manager