- As a user of artifacts published on repositories like Maven Central, I want to be able to check that the binary version of the artifact matches its source version.
On a software QA point of view, this would allow to detect quality problems in the build/publish process.
On a computer security point of view, this would allow to detect the introduction of a backdoor during the build/publish process (instead of other solutions based on checking signatures like envisioned in
Jira server ASF JIRA serverId 5aa69414-a9e9-3523-82ec-879b028fb15b keyMNG-6026).
- As a developer voting on an Apache source release against a staging repository, I want to verify that the binary from my local build from sources is the same as the binary that is staged and signed by the release manager