Reproducible builds improvements
theofidry opened this issue · 5 comments
As per a discussion with seldaek and @drupol:
- https://box-project.github.io/box/reproducible-builds/#composer-root-version : clarify that it is a problem only if the goal is to have a different PHAR if the content is different. This is an optional extra step that PHPStan does but most people would be content with the state of, build twice for a given commit and get the same result.
- https://box-project.github.io/box/reproducible-builds/#composer-autoload-suffix could be automatically set by Box (e.g. to the commit reference) or recommend to commit the
composer.lock(probably simpler) - https://box-project.github.io/box/reproducible-builds/#phar-alias: Maybe the default name generated could be derived from the project name.
- Fix anchor and link in https://box-project.github.io/box/reproducible-builds/#requirement-checker
- https://box-project.github.io/box/reproducible-builds/#timestamp: The timestamp could be forced and default to the one of the commit
Cool initiative!
Here's a few comments:
https://box-project.github.io/box/reproducible-builds/#composer-autoload-suffix could be automatically set by Box (e.g. to the commit reference) or recommend to commit the composer.lock (probably simpler)
This is not needed any more if the project ships a composer.lock file, see: composer/composer#11663
https://box-project.github.io/box/reproducible-builds/#timestamp: The timestamp could be forced and default to the one of the commit
AFAIK, I was unable to use that option.
AFAIK, I was unable to use that option.
How come? 🤔
I don't know, am I doing something wrong?
Oh never mind, you just tagged that feature for 4.6.0 !
Indeed, unfortunately the docs are not versioned :/