Skip to content

add Reproducible Central Report #292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hboutemy wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add Reproducible Central Report #292

hboutemy wants to merge 1 commit into from

Conversation

@hboutemy
Copy link
Member

@hboutemy hboutemy commented Feb 2, 2025

@hboutemy hboutemy added the enhancement New feature or request label Feb 2, 2025
@hboutemy hboutemy added this to the ASF-34 milestone Feb 2, 2025
@hboutemy
Copy link
Member Author

hboutemy commented Feb 2, 2025
edited
Loading

uh, looking at example, it seems badges are now blocked by csp (were not less than one month ago)
I'm not an expert, help appreciated to explain what exactly causes that, what should be done (probably at maven.apache.org site? or can be done in the report html page independently from site?)

@hboutemy hboutemy added the help wanted Extra attention is needed label Feb 2, 2025
@hboutemy
Copy link
Member Author

hboutemy commented Feb 2, 2025

ok, researching:
https://en.wikipedia.org/wiki/Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

I suppose some more restrictive CSP have been configured ASF-wide, need to find a pointer...

@hboutemy
Copy link
Member Author

hboutemy commented Feb 2, 2025

https://infra.apache.org/csp.html supposed to be become effective March 1, 2025.
Not sure this is what is currently causing the issue, but perhaps there is an intermediate step

@hboutemy
Copy link
Member Author

hboutemy commented Feb 2, 2025

https://privacy.apache.org/policies/website-policy.html

  1. Using Assets from other Domains
    Assets (JavaScript files or snippets, images, fonts, CSS, etc.) from other domains cannot be loaded. All assets need to be hosted on ASF servers.

this may be that one that has been enabled over the past month

@hboutemy
Copy link
Member Author

hboutemy commented Feb 2, 2025

@niallkp do you confirm that maven.apache.org webserver csp has been updated during last month to enforce that "4. Using Assets from other Domains" restriction, please?

@niallkp
Copy link

niallkp commented Feb 2, 2025

@niallkp do you confirm that maven.apache.org webserver csp has been updated during last month to enforce that "4. Using Assets from other Domains" restriction, please?

@hboutemy Infra were going to implement the CSP temporarily on 1st February (yesterday) for testing purposes - but its not supposed to go permanently live until 1st March 2025. Heres the email with the plan (I think you need to be logged in to PonyMail to see):

I don't know if Infra have turned that on or not for testing - would need to ask them.

slawekjaranowski
slawekjaranowski requested changes Mar 2, 2025
View reviewed changes
Copy link
Member

@slawekjaranowski slawekjaranowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First we need a confirm with INFRA tema ... so now I remove from next release proposition

@slawekjaranowski slawekjaranowski removed this from the ASF-34 milestone Mar 2, 2025
ottlinger
ottlinger reviewed Oct 18, 2025
View reviewed changes
docs/src/site/apt/index.apt.vm
The value will be updated by Maven Release Plugin during releases. If a project wants to disable Reproducible Builds, just define
the property value with any single non-numeric character.

In version 34, Reproducible Central Report is added to report on Reproducible Builds checks for the project and it dependencies.
Copy link

@ottlinger ottlinger Oct 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"and its dependencies" ?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slawekjaranowski slawekjaranowski slawekjaranowski requested changes

+1 more reviewer

@ottlinger ottlinger ottlinger left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement New feature or request help wanted Extra attention is needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hboutemy @niallkp @ottlinger @slawekjaranowski