With the increasing focus on supply chain security, there is a greater demand for reproducible binary builds. This presents an opportunity for open source projects as, unlike closed source projects, reproducible binary builds enable open source projects to categorically demonstrate that the convenience binaries that they provide have been built from an tagged, unaltered source tree that end users are able to audit.

Over the past year, the Apache Tomcat project has been working towards cross-platform reproducible binary builds. Tomcat is now in the position where, from a given project tag, identical release distributions including source archives, binaries and authenticode signed installers for Windows can be generated on either Windows or Linux. This session will look at the challenges the Apache Tomcat project faced in moving to reproducible builds, the techniques used to debug differences between builds and the different solutions used to resolve them.

Speakers:

Mark Thomas: VMware, Staff Engineer, Mark has been an Apache Tomcat committer since November 2003. He initially worked on Tomcat in his free time but since August 2008 he has been employed by SpringSource (now part of VMware) to work on Apache Tomcat. He spends most of his time working on Tomcat but he also works on tc Server, VMware’s Servlet & JSP container based on Apache Tomcat.

Mark is the release manager for Apache Tomcat 10.0 and 10.1 where he tries to release a new version every month or so. He is currently focused on Tomcat 10.1 development which will support Jakarta EE 10. He is a committer for Eclipse Servlet, Server Pages, Expression Language and WebSocket.

Elsewhere at the ASF, Mark is a member of the ASF security and infrastructure teams and he is also on the Commons PMC where he focuses on Commons Pool and DBCP.

Mark is a member of the ASF and served as a Director from 2016 to 2019. He has held the position of VP, Brand Management since February 2018.