Versions Compared

Old Version 29

changes.mady.by.user Herve Boutemy

Saved on

compared with

New Version 30

changes.mady.by.user Herve Boutemy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added link to reproducible-buils mailing list


Page properties


Status
 
Status
colourBlue
titleWIP
Version 
Issue(s)
Jira
serverASF JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyMNG-6276
Sources 
Developer(s)
 Hervé Boutemy Thomas Lorblanchès


https://reproducible-builds.org/ (see mailing list)
Reproducible builds are a set of software development practices that create a verifiable path from human readable source code to the binary code used by computers

How?

First, the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.

Second, the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.

Third, users should be given a way to recreate a close enough build environment, perform the build process, and verify that the output matches the original build.

...

But Maven plugins in the whole ecosystem (not only provided by Apache Maven team) sometimes adds some variable parts that adds to the problem: timestamp text or username in MANIFEST.MF, ...

reproducible-build-maven-plugin has been created to try to fix issues after packaging.

...

What are the issues to solve?

issue trackingdescription
MSHARED-661maven-archiver adds "Built-By" and "Built-Jdk" Manifest entries
this component is then used by many plugins that create archives
MSHARED-494 (fixed in maven-archiver 3.1.0)Timestamp in pom.properties
 support SOURCE_DATE_EPOCH environment variable or equivalent: see https://reproducible-builds.org/docs/timestamps/
MPLUGIN-261 (fixed in maven-plugin-plugin 3.3)generated plugin.xml is non-deterministic
MPLUGIN-326 (fixed in maven-plugin-plugin 3.5.1)Timestamp in plugin.xml and plugin-help.xml descriptors generated by maven-plugin-tools-generator
codehaus-plexus/plexus-archiver issue #48avoid timestamp issues in archives created by plexus-archiver (widely used in Maven plugins creating jar, zip, war, tar... archives)
codehaus-plexus/plexus-containers issue #8sort components when generating META-INF/plexus/components.xml

Debian approach

Debian has a strong reproducible builds structure working on the topic for a few years: see BuildinfoFiles for environment info recording.

...