Skip to content

Comments

Add reproducible build check step in the proces of Provider releases#35871

Merged
potiuk merged 2 commits intoapache:mainfrom
potiuk:add-reproducible-build-check-to-pmc-verification
Nov 26, 2023
Merged

Add reproducible build check step in the proces of Provider releases#35871
potiuk merged 2 commits intoapache:mainfrom
potiuk:add-reproducible-build-check-to-pmc-verification

Conversation

@potiuk
Copy link
Member

@potiuk potiuk commented Nov 26, 2023

The reproducible build we just added makes it possible to run full reproducible package builds (byte-to-byte reproducible) - which means that whoever uses the same sources of Airflow (and official 3rd-party build tools) should get identical, byte-to-byte reproducible packages.

This PR updates process of Provider package verification to make sure the packages are binary-identical, thus removing the need of verifying the sources included in the package (allowing to verify not only the sources coming from the repository, but also the generated content (such as get_provider_info.py files).

One step closer to SLSA compliance of our build/release process.


^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

The reproducible build we just added makes it possible to run full
reproducible package builds (byte-to-byte reproducible) - which
means that whoever uses the same sources of Airflow (and official
3rd-party build tools) should get identical, byte-to-byte
reproducible packages.

This PR updates process of Provider package verification to make
sure the packages are binary-identical, thus removing the need
of verifying the sources included in the package (allowing to
verify not only the sources coming from the repository, but
also the generated content (such as get_provider_info.py files).

One step closer to SLSA compliance of our build/release process.
Copy link
Member

@pierrejeambrun pierrejeambrun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really nice

@potiuk
Copy link
Member Author

potiuk commented Nov 26, 2023

Really nice

Indeeed. Those "reproducible builds" - once we have good tooling - are really powerful in making "secure" supply chain possible

Copy link
Member

@hussein-awala hussein-awala left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Co-authored-by: Hussein Awala <hussein@awala.fr>
@potiuk potiuk merged commit 162d0f0 into apache:main Nov 26, 2023
@potiuk potiuk deleted the add-reproducible-build-check-to-pmc-verification branch November 26, 2023 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants