THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
https://reproducible-builds.org/ Reproducible builds are a set of software development practices that create a verifiable path from human readable source code to the binary code used by computers
How?
First, the build system needs to be made entirely deterministic: transforming a given source must always create the same result. Typically, the current date and time must not be recorded and output always has to be written in the same order.
Second, the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined.
Third, users should be given a way to recreate a close enough build environment, perform the build process, and verify that the output matches the original build.
Java builds are naturally not immediately reproducible: timestamps in jar files are the first source of non-idempotence (if you do a build twice, the result won't be the same bit for bit).
But Maven sometimes adds some variable parts that adds to the problem: timestamp or username in MANIFEST.MF, ...
The goal of this proposal is to prepare a set of configuration and practices to have reproducible/verifiable builds, both by enhancing java natural build behaviour and by removing some variability introduced by some Maven plugins (core plugins at first, but also in the Maven eco-system)
What are the issues to solve?
| issue tracking | description |
|---|---|
| MSHARED-661 | maven-archiver adds "Built-By" and "Built-Jdk" Manifest entries |
support SOURCE_DATE_EPOCH environment variable: see https://reproducible-builds.org/docs/timestamps/ | |
| MPLUGIN-261 | before maven-plugin-plugin 3.3, generated plugin.xml non-deterministic |