ppkarwasz commented on PR #417: URL: https://github.com/apache/commons-build-plugin/pull/417#issuecomment-4154695422
> It is odd that the dependency on Commons Codec `1.22.0-SNAPSHOT` doesn't show up as an addition in the GH UI. How is that possible? This PR is against a `codec-1.22.0` branch, so it doesn't accidentally end up in `master` before the Codec 1.22.0 release. The additional dependency was added in that branch. > > The generated in-toto attestation is pretty much work in progress and currently looks like: > > I thought the JSON format was a standard? Surely we shouldn't invent our own, right? The [schema for SLSA Build attestations](https://slsa.dev/spec/v1.2/build-provenance#schema) does not strictly define all the components. The exact semantics of the document depend on the value of `predicate.buildDefinition.buildType`, which should be an URL to a human-readable document that describes the “build platform”. For example: https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1. I started to draft such a documentation for the Commons build process, but I haven't finished yet. In particular the schema of these elements is not defined: - `predicate.buildDefinition.internalParameters`, - `predicate.buildDefinition.externalParameters`, - `predicate.runDetails.builder.id`. > What does the sample document attest? Attesting a dependency on a snapshot like `commons-lang3-3.21.0-SNAPSHOT.jar` doesn't mean anything, since that's not reproducible. The sample document I shared is the result of calling `build-attestation` against the current `master` branch of `commons-lang3`. It contains: - In the `subject` field: all the artifacts attached to the build. Of course, since the goal is meant for Commons, we can decide to exclude in code the artifacts with type `tar.gz` and `zip`, which are not sent to Maven Central. - In `externalParameters` you'll find some parameters of the Maven execution that created the artifacts and the attestation: JVM args, some `MavenExecutionRequest` data and a selected list of environment properties that we know can influence reproducibility (`TZ` and locale, but I didn't set `TZ` this time). - In `resolvedDependencies` you'll find the details of my JDK and Maven installation. I tried also to capture the data usually available, when you call `mvn --version`, but due to classloader isolation they were not available. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
