Re: [adoptium-pmc] Reproducible build verification for Eclipse Temurin

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [adoptium-pmc] Reproducible build verification for Eclipse Temurin

From: Carmen Delgado <carmen.delgado@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 4 Mar 2026 15:32:01 +0100
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=K00WjGIeQoHnsY9b92soicnvAwssHzEdhIjcdX+vnTg=; fh=dKBns6ignyGX8KBUR3tZqa++HYEjpoDIvowzdqaflhc=; b=IufAV4AzYOiv3X1se8Yq17PZuTlQj+KGGXNLcJrnOLm/6hNZw8oiPBLZZ4D9QkraOu oO5yE/BM3jMp0OO0TMvefgDzGzn8FbZHBjpt9c0wfe7EfJ2cE6WjgvMSE/UbbK/9WnN6 tgw2A/+VIct9w6FigpJOw7b/IhfWPzc/viLYGz7E0Sbm+5jIXMBzNNdG3prtGt0JYMww sEFt+3p+Uuq3/W83zRVcl0Yfg15udhTKDcOma9JMa+onroayAGdpU/4Zox0mYHNknQI8 rBmYOhxC8DdTKRk2PSAWJ4CGUTBEvJSlwHwNCEyk1k11xeW7yeXDdzQWdKF3KB51556d +7pw==; darn=eclipse.org
Arc-seal: i=1; a=rsa-sha256; t=1772634738; cv=none; d=google.com; s=arc-20240605; b=X3YWuTIQ20UlFwmUTGyTsl/3hTGCf0VzBBBIHmTygdCoMWAb/mXd1ZGKLgEvz0rXtf vnTswN+/NTFcIY2Rw0XBtdXf6A9OSfb1EqPCqLonDnwaypwFEMrrNZyId34lNt/ZjKWg cq9GkBB0l/rmxzxHWbPkhsu5yypdV0k/BNDLzuaHjPloJBDU4bzXCcMa3GGgUMQYPKFV AVgTVla1pN0oe55Detv24kVCrQANdIG5WxaJvFdMLa+2/CRfJaj5Qi/fTOQIRA/F/9X2 ZwbHLc8l7Q1IElTCQLbr1US/80AltoqfPZPqVa7+ZC+GFLVDUgWjzMGisq0LsA/uX3rE ayBw==
Delivered-to: adoptium-pmc@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/adoptium-pmc/>
List-help: <mailto:adoptium-pmc-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/adoptium-pmc>, <mailto:adoptium-pmc-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/adoptium-pmc>, <mailto:adoptium-pmc-request@eclipse.org?subject=unsubscribe>

Dear Adoptium PMC members,

Following our PMC meeting today, we noticed the email below was not delivered to the mailing list last week. I am forwarding it now for your review.

KR,

Carmen Delgado

Adoptium Program Manager | Eclipse Foundation

eclipse.org | Twitter | LinkedIn | YouTube

Eclipse Foundation: The Community for Open Innovation and Collaboration

My working day may not be your working day! Please don’t feel obliged to read or reply to this email outside of your normal working hours.

On Thu, 26 Feb 2026 at 19:34, Dennis Leung <dennis.leung@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Dear Adoptium PMC members,

I wanted to follow up on the Reproducible Builds Verification Project thread to refresh everyone’s memory of a previous discussion on this topic and provide some insight into the administrative steps required before the first public release.

As we understand the current status:
Download Page: The verification mark has been implemented.
GitHub: An attestation repository has been created.
Documentation: How-to documentation is pending creation.
Last year, following concerns raised by the Eclipse Foundation Executive Director regarding the term “attestation” for project-issued claims, we reached an understanding in March 2025 not to use the term “attestation” in this context. The agreed upon approach satisfies both legal requirements and technical best practices:

User-Facing Terminology: “Reproducibility Verified,” “Verified Reproducible,” or similar variations will be primarily used
Technical Documentation: The term “attestation” will be reserved strictly for technical documentation (e.g., "CycloneDX Attestation"), where it is an established industry term for secure supply chain practices like SLSA.

Regarding the creation of the Verification mark, we provide a legal review service and process for trademarks to ensure the trademark can be properly protected and to enable the community to benefit from proper use of the trademark.

To complete this transition and mitigate legal exposure, we ask the PMC to take the following actions as soon as possible:

GitHub Repository Update: Rename the existing temurin-attestations repository and any related issues/epics to align with the agreed user-facing terminology (e.g., temurin-reproducibility-verified or temurin-verified-reproducibility).
Legal Review: Submit the new verification mark proposal to the EMO team for formal legal review and approval. This should include details on how the mark is obtained, the project workflow, and where it will be displayed (e.g., the release page)

We are happy to have a call with the PMC to answer any questions you may have and help get this over the finish line for reproducible build verifications.

Regards,

Dennis

--
Dennis Leung
VP Program Management | Eclipse Foundation
dennis.leung@xxxxxxxxxxxxxxxxxxxxxx
+1.613.220.7818 (m)

Follow-Ups:
- Re: [adoptium-pmc] Reproducible build verification for Eclipse Temurin
  - From: Shelley Lambert

Prev by Date: [adoptium-pmc] Minutes of the Adoptium PMC meetings
Next by Date: Re: [adoptium-pmc] Reproducible build verification for Eclipse Temurin
Previous by thread: [adoptium-pmc] Minutes of the Adoptium PMC meetings
Next by thread: Re: [adoptium-pmc] Reproducible build verification for Eclipse Temurin
Index(es):
- Date
- Thread

Breadcrumbs