[Enhancement] Make Apache Pulsar build reproducible to increase the security and integrity of the software supply chain

[lhotari]

Search before asking

• I searched in the issues and found nothing similar.

Motivation

Reproducible builds increase the security and integrity of the software supply chain. They allow verification that no vulnerabilities or backdoors have been introduced during the compilation process. This is particularly important for privacy and security-focused software like Apache Pulsar.

Solution

Implement reproducible builds for Apache Pulsar by:

1. Making the build system deterministic (e.g., removing timestamps, ordering output consistently)
2. Defining or recording the build environment and tools
3. Providing a way for users to recreate the build environment and validate the output
4. Ensure that the checks pass at https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/pulsar/README.md

Alternatives

No direct alternatives considered. Not implementing reproducible builds leaves the project more vulnerable to potential supply chain attacks.

Anything else?

This enhancement aligns with industry best practices and recommendations from security organizations like the NSA and CISA for improving software supply chain security.

Are you willing to submit a PR?

• I'm willing to submit a PR!