[Git][reproducible-builds/reproducible-website][master] added section on auditing a build

Hervé Boutemy gitlab at salsa.debian.org
Fri Jan 25 19:42:04 CET 2019


Hervé Boutemy pushed to branch master at Reproducible Builds / reproducible-website


Commits:
c7191b9d by Hervé Boutemy at 2019-01-25T18:42:02Z
added section on auditing a build
- - - - -


1 changed file:

- _docs/jvm.md


Changes:

=====================================
_docs/jvm.md
=====================================
@@ -79,6 +79,24 @@ Source tarballs, intended for building, are not always published in repositories
 - `${artifactId}-${version}-source-release.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:source-release))
 - `${artifactId}-${version}-src.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:src))
 
+Auditing a Build
+----------------
+
+As explained on top of this page, by default, jars  found in public repositories probably won't be reproducible. But you can try to rebuild them and
+measure how much they are not reproducible:
+
+1. download the jar from a public repository,
+2. determine which major version of JDK was used to produce it: usually, the full Java version is found in `META-INF/MANIFEST.MF` by running `unzip -p xxx.jar META-INF/MANIFEST.MF`
+3. find sources and build instruction on originating project site
+4. rebuild with a JDK of the same major version than the version found on step 2
+4. examine the differences using [diffoscope](https://diffoscope.org/)
+
+Usually, you'll find a few files that are different, in addition to zip content timestamp and order.
+Notice that if you didn't use the same JDK major version, you'll see many differences in .class files.
+
+Improving the build to get reproducible build will then be specific with each build tool.
+You may discuss issues and fixes on [Reproducible Builds mailinglist]({{ "/docs/contribute/" | prepend: site.baseurl }}).
+
 Reproducible Builds for Maven
 -----------------------------
 



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c7191b9d91816af5cb89de7a908fcea6c5df2139

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/commit/c7191b9d91816af5cb89de7a908fcea6c5df2139
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20190125/69f76576/attachment.html>


More information about the rb-commits mailing list