| Re: [adoptium-pmc] Reproducible build verification for Eclipse Temurin |
Thank you for the note.I recall consensus on the User facing terminology, I did not recall any agreement on renaming GitHub labels, and no mention of renaming the GitHub repository which was created in Dec 2024 prior to March 2025 discussions and additionally mentioned in the document that was prepared to providing background and context on this key initiative.
I am not sure a reason was given for why we'd need to rename GitHub labels, issue titles, and repos, looking back through the minutes and to my recollection, I find nothing. It might be good to have that understanding otherwise such a request comes across as excessive overreach.
I have concerns over requests to restrict the use of generalized terms such as 'attestations'. What other general software terminology will be disallowed for use in the future? We see the widespread use of the term 'attestation' across other endeavours. As stated in the above mentioned document prepared for EF last March, there are even examples from companies EF is collaborating with on secure development topic areas (like Chainguard, in describing the provenance of temurin builds they redistribute). I would like to see the foundation actively protect developers from such language constraints as it contemplates how to empower developers, attract new projects, create inviting environments, and encourage innovation. Developers should be free to use the generalized software terminology, such as attestation, in the course of developing programs.
Despite my concerns and in the spirit of reducing friction, I can suggest to the PMC that we rename the repository temurin-cdxa. I will submit the verification mark to the EMO soon.
I want to note that while there has been a pull request to add the code to display a verification mark, the actual display of the mark on a website is tied to whether reproducible attestations are submitted. Since we have not launched this program yet, no visible mark is live on the website, nothing is user-facing at present. This is all preparatory work, ahead of a launch. As discussed in a recent Working Group call, we have other items to complete, including documentation, that need to be delivered before we would soft launch this program.Regards,ShelleyOn Wed, Mar 4, 2026 at 9:32 AM Carmen Delgado via adoptium-pmc <adoptium-pmc@xxxxxxxxxxx> wrote:Dear Adoptium PMC members,Following our PMC meeting today, we noticed the email below was not delivered to the mailing list last week. I am forwarding it now for your review.KR,Carmen Delgado
Adoptium Program Manager | Eclipse Foundation
eclipse.org | Twitter | LinkedIn | YouTube
Eclipse Foundation: The Community for Open Innovation and CollaborationMy working day may not be your working day! Please don’t feel obliged to read or reply to this email outside of your normal working hours._______________________________________________On Thu, 26 Feb 2026 at 19:34, Dennis Leung <dennis.leung@xxxxxxxxxxxxxxxxxxxxxx> wrote:Dear Adoptium PMC members,
I wanted to follow up on the Reproducible Builds Verification Project thread to refresh everyone’s memory of a previous discussion on this topic and provide some insight into the administrative steps required before the first public release.
As we understand the current status:
Download Page: The verification mark has been implemented.
GitHub: An attestation repository has been created.
Documentation: How-to documentation is pending creation.
Last year, following concerns raised by the Eclipse Foundation Executive Director regarding the term “attestation” for project-issued claims, we reached an understanding in March 2025 not to use the term “attestation” in this context. The agreed upon approach satisfies both legal requirements and technical best practices:
User-Facing Terminology: “Reproducibility Verified,” “Verified Reproducible,” or similar variations will be primarily used
Technical Documentation: The term “attestation” will be reserved strictly for technical documentation (e.g., "CycloneDX Attestation"), where it is an established industry term for secure supply chain practices like SLSA.
Regarding the creation of the Verification mark, we provide a legal review service and process for trademarks to ensure the trademark can be properly protected and to enable the community to benefit from proper use of the trademark.
To complete this transition and mitigate legal exposure, we ask the PMC to take the following actions as soon as possible:
GitHub Repository Update: Rename the existing temurin-attestations repository and any related issues/epics to align with the agreed user-facing terminology (e.g., temurin-reproducibility-verified or temurin-verified-reproducibility).
Legal Review: Submit the new verification mark proposal to the EMO team for formal legal review and approval. This should include details on how the mark is obtained, the project workflow, and where it will be displayed (e.g., the release page)
We are happy to have a call with the PMC to answer any questions you may have and help get this over the finish line for reproducible build verifications.
Regards,Dennis--Dennis Leung
VP Program Management | Eclipse Foundation
dennis.leung@xxxxxxxxxxxxxxxxxxxxxx
+1.613.220.7818 (m)
adoptium-pmc mailing list
adoptium-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/adoptium-pmc
Dennis Leung
VP Program Management | Eclipse Foundation
dennis.leung@xxxxxxxxxxxxxxxxxxxxxx
+1.613.220.7818 (m)