[Git][reproducible-builds/reproducible-website][master] added jvm.md
Hervé Boutemy
gitlab at salsa.debian.org
Sat Dec 29 18:44:04 CET 2018
Hervé Boutemy pushed to branch master at Reproducible Builds / reproducible-website
Commits:
d3e7e62e by Hervé Boutemy at 2018-12-29T17:43:25Z
added jvm.md
- - - - -
1 changed file:
- + _docs/jvm.md
Changes:
=====================================
_docs/jvm.md
=====================================
@@ -0,0 +1,63 @@
+---
+title: JVM
+layout: docs
+permalink: /docs/jvm/
+---
+
+The JVM ecosystem provides many languages and build tools.
+Since the JVM is not reproducible-friendly from the beginning
+-- jar/zip files, with files order and timestamp, are a first natural source of variation --,
+each build tool requires some work to provide Reproducible Builds.
+
+Buildinfo File
+--------------
+
+Whatever the build tool is, binary JVM artifacts are generally published in artifact repositories
+like [Maven Central](https://search.maven.org/) or [Google's Android Repository](https://dl.google.com/dl/android/maven2/index.html).
+
+Being able to rebuild artifacts published in these repositories will require some information: where to get the source tarball from,
+which environment to setup to rebuild the artifacts.
+
+This is the puropse of JVM Buildinfo files that are expected to be published alongside artifacts
+as `${artifactId}-${version}.buildinfo`, in Java properties format:
+
+
+```
+#### Work In Progress ####
+name=<name as in pom.xml>
+groupId=<groupId as in pom.xml>
+artifactId=<artifactId as in pom.xml>
+version=<version as in pom.xml>
+
+# source information, as source tarball in repository and/or scm coordinates
+source=<groupId>:<artifactId>
+source.extension=<extension, usually zip>
+source.classifier=<classifier, usually source-release or src>
+scm=<source control management url as in pom.xml>
+scm.tag=<source control management tag as in pom.xml>
+
+# build environment information
+java.version=<full Java version>
+build-tool=<mvn|sbt|...>
+# sbt-specific information
+sbt.version=1.2.3
+scala.version=2.12.6
+
+# output
+output.1.filename=<file name>
+output.1.length=<file size>
+output.1.sha512=<sha512>
+```
+
+Notice that `${artifactId}-${version}-sources.jar` files published in Maven repositories are not buildable sources, but [sources for IDEs](https://central.sonatype.org/pages/requirements.html#supply-javadoc-and-sources).
+Source tarballs, intended for building, are not always published in repositories but only sometimes, with 2 classical naming conventions:
+- `${artifactId}-${version}-source-release.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:source-release))
+- `${artifactId}-${version}-src.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:src))
+
+Reproducible Builds for Maven
+-----------------------------
+
+See [https://reproducible-maven-builds.github.io/](https://reproducible-maven-builds.github.io/).
+
+Reproducible Builds for Scala SBT
+---------------------------------
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d3e7e62e4ac6f7eeeb342a0a7e13c598cfaab4a8
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/d3e7e62e4ac6f7eeeb342a0a7e13c598cfaab4a8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20181229/aeb28f18/attachment.html>
More information about the rb-commits
mailing list