hboutemy commented on PR #1726: URL: https://github.com/apache/maven/pull/1726#issuecomment-2378443930
yes, there is a link with incremental build when the rebuild is done just after the initial build, and the local builder can optimize to reuse instead of rebuild some artifacts Reproducible Builds has in addition "third party rebuild" case, where the rebuild is done much later, by someone else, with a different env: both incremental build for local and RB for 3rd party need to be available, and consistent; This is one reason why Git commit timestamp is not efficient on large multi-module builds this "3rd party rebuild" case is also where RB has a great effect: it lets us know when artifacts contain environment-specific content in output, like username, machine name, local path, or any personal local file. Nothing really security / malware oriented (even if local data can be PII or considered leakage), but it's what we in practice find regularly when checking RB during our Maven components release votes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
