| Re: [adoptium-pmc] Provide reproducible build verification for Eclipse Temurin |
How long have you been hacking me, we'll pay dearly, you thieves?
_______________________________________________Stop emailing me and please unsubscribe I wasn’t thinking when I click I have a job a giant so I do not need this sorry for the inconvenience and miscommunicationThanks tim R DeatonOn Mon, Mar 24, 2025 at 6:54 AM Carmen Delgado via adoptium-pmc <adoptium-pmc@xxxxxxxxxxx> wrote:Dear Adoptium PMC members,
Thank you for your input with both Andrew’s email and Shelley’s document.
Based on this, we understand that the proposed terminology would be “Reproducibility verified”, “verified Reproducible” or “Reproducible verified” and the word “attestation,” will only appear in technical documentation, such as the reference to "CycloneDX Attestation." This definition aligns with our legal concerns.
Our recommendation for consistency would be editing the GitHub label currently used from "temurin-attestation" to something similar to your proposal "temurin-reproducible-badge" , "temurin-reproducibility-verified", "temurin-verified-reproducible" whichever the committee decides is the final naming, as well as any issue or epic created related to this initiative.
Thank you!
Carmen Delgado
Adoptium Program Manager | Eclipse Foundation
eclipse.org | Twitter | LinkedIn | YouTube
Eclipse Foundation: The Community for Open Innovation and CollaborationMy working day may not be your working day! Please don’t feel obliged to read or reply to this email outside of your normal working hours._______________________________________________On Thu, 6 Mar 2025 at 19:26, Shelley Lambert via adoptium-pmc <adoptium-pmc@xxxxxxxxxxx> wrote:Thanks Andrew!I applaud your brevity! I've pulled together some additional details into a shared document, and copy-pasted the 'short answer' section below for convenience that intends to answer the question regarding the pending items regarding the naming for both the project and the verification checkmark. The Short answer and a much Longer answer section with far more additional information and links to references are in the shared document.---Short answerThere is no new project being introduced, the naming for the project remains “Eclipse Temurin”.
This initiative is an evolution of the reproducibility feature that has been developed under the Temurin project for the past two years. The new work is called “verified reproducibility” and it includes:
Instructions for how to reproduce a Temurin build using information found in the accompanying Temurin SBOM.
A test case to verify the reproduced artifact is byte-for-byte identical to the original downloaded Temurin artifact.
An attestation mechanism with an industry-defined format that allows reproducers to be able to report that they have verified the reproducibility of Temurin.
Naming for verification can align with the SLSA terminology, “verified reproducible”. We envisage verified reproducible build indications that link to the attestation(s) files that have been provided by 3rd parties.
Currently, the list of Temurin builds on the Adoptium website displays checkmarks. Special care was applied in naming the two checkmarks that are attached to artifacts on the Adoptium website, “JCK certified” to denote that builds are compliant with the Java language specification and “AQAvit verified” to denote that builds pass the quality bar as they have passed the AQAvit suite of tests. In keeping with that same 2-word phrasing, we are planning to introduce a third checkmark for Temurin builds listed on the Adoptium website with the wording “verified Reproducible” or “Reproducible verified” or “Reproducibility verified”.
---Regards,Shelley_______________________________________________On Thu, Mar 6, 2025 at 5:59 AM Andrew Leonard via adoptium-pmc <adoptium-pmc@xxxxxxxxxxx> wrote:Hi Carmen,The "project" is described as "Providing a mechanism for 3rd parties to independently verify the identical reproducibility of an Eclipse Temurin JDK binary, and provide a CycloneDX Attestation XML document confirming."The exact adoptium.net website checkmark design and details are yet to be decided, but will most likely be in the form of an "icon" possibly with a "counter" on the release download page, in similar manner to the existing "JCK Certified" and "AQAvit Verified" icons:_______________________________________________On Wed, Mar 5, 2025 at 5:09 PM Carmen Delgado via adoptium-pmc <adoptium-pmc@xxxxxxxxxxx> wrote:_______________________________________________Dear Adoptium PMC members,
Based on the approved 2025 Program Plan and Project Priorities, there is an initiative already under development: “Provide reproducible build verification for Eclipse Temurin” (slide 21 from approved plan and EPIC: Provide the ability for 3rd party Temurin release reproducible Attestation).
When the proposal was introduced to the Eclipse Foundation Executives in October 2024, one of the pending items was defining the proper naming for both the project and the verification checkmark.
Can you please provide the status on the matter?
Thank you,
Carmen Delgado
Adoptium Community Manager | Eclipse Foundation
eclipse.org | Twitter | LinkedIn | YouTube
Eclipse Foundation: The Community for Open Innovation and CollaborationMy working day may not be your working day! Please don’t feel obliged to read or reply to this email outside of your normal working hours.
adoptium-pmc mailing list
adoptium-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/adoptium-pmc
adoptium-pmc mailing list
adoptium-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/adoptium-pmc
adoptium-pmc mailing list
adoptium-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/adoptium-pmc
adoptium-pmc mailing list
adoptium-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/adoptium-pmc
adoptium-pmc mailing list
adoptium-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/adoptium-pmc
