THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Java builds are naturally not immediately reproducible: timestamps in jar files are the first source of non-idempotence (if you do a build twice with just javac and jar commands, the result won't be the same bit for bit).
But Maven plugins in the whole ecosystem (not only provided by Apache Maven team) sometimes adds some variable parts that adds to the problem: timestamp text or username in MANIFEST.MF, ... reproducible-build-maven-plugin has been created to try to fix issues after packaging.
...
- As a user of artifacts published on repositories like Maven Central, I want to be able to check that the binary version of the artifact matches its source version.
On a software QA point of view, this would allow to detect quality problems in the build/publish process.
On a computer security point of view, this would allow to detect the introduction of a backdoor during the build/publish process (instead of other solutions based on checking signatures like envisioned in
).Jira server ASF JIRA serverId 5aa69414-a9e9-3523-82ec-879b028fb15b key MNG-6026 - As a developer voting on an Apache source release against a staging repository, I want to verify that the binary from my local build from sources is the same as the binary that is staged and signed by the release manager
...