maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Wegener (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MNG-6276) Support reproducible builds
Date Sun, 08 Oct 2017 19:19:00 GMT

    [ https://issues.apache.org/jira/browse/MNG-6276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16196294#comment-16196294
] 

Daniel Wegener commented on MNG-6276:
-------------------------------------

I wrote about this topic last year: https://blog.holisticon.de/2016/10/reproducible-builds-in-java/

TL;DR:
- given the same environment, javac's classfile output is stable
- jar's uses zip which contains entry-timstamps which we must set to a fixed value (or a somewhat
non-arbitrary default)
- maven-archiver-plugin may parallelize the packaging which may results in arbitrary entry
order in the packaged artifact
- the archiver plugin iterates the files which are to be packaged in file-system order which
may differ across plaforms 
- I have not tested how the "standard tooling", the jar command line tool (http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jar.html)
behaves

> Support reproducible builds
> ---------------------------
>
>                 Key: MNG-6276
>                 URL: https://issues.apache.org/jira/browse/MNG-6276
>             Project: Maven
>          Issue Type: New Feature
>          Components: core, General
>            Reporter: Paolo Sacconier
>
> A venerable build system like maven should support full build reproducibilty (i.e. producing
bit a bit identical binaries from the same source).
> As initiatives like https://reproducible-builds.org gain traction and the news of the
recent Debian policy change to mandate this build behavior (see https://reproducible.alioth.debian.org/blog/posts/121/),
this seems a feature that needs to be considered for inclusion into maven core & core
plugins.
> There is an independent ongoing effort to support this feature and the author stated
that he has found interest from maven project to integrate his work: https://github.com/Zlika/reproducible-build-maven-plugin/issues/6#issuecomment-325005883
> I hope this issue helps kickstart the effort.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message