I fully trust @matthiasblaesing but I think we ought to do a better job at having better visibility into where such things are built, and how to avoid any supply chain attacks. I'd prefer everything used public automation like GHA, that these JARs were signed, etc. Any thoughts?

@dblock while what you describe is a good aim, I don't think this is doable. The big question is, why anyone would trust a binary build on GH, more than on my personal machine or on the FSF servers.

In the end the the build needs to be reproducible and more importantly actually be reproduced. Else everything is just theory. I wrote it at another place already, currently rebuilding the native binaries takes about 2 days. This does not include unittests or any verification, let alone verification on multiple machines or from different builders.

I also have the distinct feeling, that here is little interest in this. I setup a build for signed DLLs, the requestors did not even bother to reply when asked for testing.

But I think the discussion belongs on the mailing list.

As this is only about the AIX binaries, I'll get them in now - if I'd want to inject a backdoor, I would have done it via #1383.

Thanks @matthiasblaesing!