THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
https://reproducible-builds.org/ Reproducible builds are a set of software development practices that create a verifiable path from human readable source code to the binary code used by computers
How?
First, the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.
Second, the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.
Third, users should be given a way to recreate a close enough build environment, perform the build process, and verify that the output matches the original build.
Tooling like diffoscope have been created to measure differences between archives content.
Java builds are naturally not immediately reproducible: timestamps in jar files are the first source of non-idempotence (if you do a build twice, the result won't be the same bit for bit).
But Maven sometimes adds some variable parts that adds to the problem: timestamp text or username in MANIFEST.MF, ... reproducible-build-maven-plugin has been created to try to fix issues after packaging.
...
- As a user of artifacts published on repositories like Maven Central, I want to be able to check that the binary version of the artifact matches its source version. On a software QA point of view, this would allow to detect quality problems in the build/publish process. On a computer security point of view, this would allow to detect the introduction of a backdoor during the build/publish process.
- As a developer voting on an Apache source release against a staging repository, I want to verify that the binary I'm getting locally from sources is the same as the binary that is staged and signed by the release manager
Sources of unreproducible bits
...