[Git][reproducible-builds/reproducible-website][master] 2 commits: Merge JVM sections on 'recording' and the JVM page
Hervé Boutemy
gitlab at salsa.debian.org
Mon Dec 31 14:41:49 CET 2018
Hervé Boutemy pushed to branch master at Reproducible Builds / reproducible-website
Commits:
74acbcef by Arnout Engelen at 2018-12-31T12:48:49Z
Merge JVM sections on 'recording' and the JVM page
- - - - -
573dd7fa by Arnout Engelen at 2018-12-31T13:35:22Z
Clarify we are recording checksums for build output files
- - - - -
2 changed files:
- _docs/jvm.md
- _docs/recording.md
Changes:
=====================================
_docs/jvm.md
=====================================
@@ -4,6 +4,10 @@ layout: docs
permalink: /docs/jvm/
---
+The conventions for the JVM ecosystem are under active development.
+Join the discussion on the
+[mailinglist]({{ "/docs/contribute/" | prepend: site.baseurl }}).
+
The JVM ecosystem provides many languages and build tools.
Since the JVM is not reproducible-friendly from the beginning
-- jar/zip files, with files order and timestamp, are a first natural source of variation --,
@@ -15,18 +19,21 @@ Buildinfo File
Whatever the build tool is, binary JVM artifacts are generally published in artifact repositories
like [Maven Central](https://search.maven.org/) or [Google's Android Repository](https://dl.google.com/dl/android/maven2/index.html).
-Being able to rebuild artifacts published in these repositories will require some information: where to get the source tarball from,
+Being able to rebuild artifacts published in these repositories will require some information: where to get the sources from,
which environment to setup to rebuild the artifacts.
This is the puropse of JVM Buildinfo files that are expected to be published alongside artifacts
-as `${artifactId}-${version}.buildinfo`, in Java properties format:
+as `${artifactId}-${version}.buildinfo`, in
+[Java properties format](https://en.wikipedia.org/wiki/.properties).
+For multi-module builds, each produced artifact will have its
+own buildinfo file:
```
#### Work In Progress ####
name=<name as in pom.xml>
-groupId=<groupId as in pom.xml>
-artifactId=<artifactId as in pom.xml>
+group-id=<groupId as in pom.xml>
+artifact-id=<artifactId as in pom.xml>
version=<version as in pom.xml>
# source information, as source tarball in repository and/or scm coordinates
@@ -37,14 +44,21 @@ scm.tag=<source control management tag as in pom.xml>
# build environment information
java.version=<full Java version>
build-tool=<mvn|sbt|...>
-# sbt-specific information
+
+# Each build tool or plugin is free to add additional entries to the buildinfo.
+# For example, the sbt plugin may add the following for Scala:
sbt.version=1.2.3
scala.version=2.12.6
-# output
-1.filename=<file name>
-1.length=<file size>
-1.sha512=<sha512>
+# A buildinfo file can contain checksums for multiple output files, for
+# example for the main jar and the accompanying pom.xml:
+outputs.0.filename=<file name>
+outputs.0.length=<file size>
+outputs.0.checksums.sha512=<sha512>
+outputs.1.filename=<file name>
+outputs.1.length=<file size>
+outputs.1.checksums.sha512=<sha512>
+...
```
Notice that `${artifactId}-${version}-sources.jar` files published in Maven repositories are not buildable sources, but [sources for IDEs](https://central.sonatype.org/pages/requirements.html#supply-javadoc-and-sources).
@@ -57,5 +71,10 @@ Reproducible Builds for Maven
See [https://reproducible-maven-builds.github.io/](https://reproducible-maven-builds.github.io/).
-Reproducible Builds for Scala SBT
----------------------------------
+Reproducible Builds for sbt
+---------------------------
+
+When using [sbt](https://www.scala-sbt.org/), a build tool popular with Scala
+projects, you can use the
+[sbt-reproducible-builds](https://github.com/raboof/sbt-reproducible-builds)
+plugin to strip your artifacts and share buildinfo information.
=====================================
_docs/recording.md
=====================================
@@ -57,41 +57,13 @@ necessary to reproducibly rebuild that revision of Tails.
### JVM
-The buildinfo conventions for the JVM ecosystem are under active development.
-Join the discussion on the
-[mailinglist]({{ "/docs/contribute/" | prepend: site.baseurl }}).
-
-The format for buildinfo files in the JVM ecosystem is a
-[.properties file](https://en.wikipedia.org/wiki/.properties).
-For multi-module builds, each produced artifact will have its
-own buildinfo file.
-
-Common keys are:
-
-|key|meaning|
-|-|-|
-|name|Name of the packaged entity|
-|group-id|Corresponds to the Maven group id or Ivy organization|
-|artifact-id|Corresponds the the Maven artifact id or Ivy artifact name
-|version|Version of the software|
-|java.version|Version of Java used to build the software|
-|build-tool|Name of the build tool used to build the software, e.g. `maven` or `sbt`|
-
-Each build tool or plugin is free to add additional values to the buildinfo.
-For example, [sbt-reproducible-builds](https://github.com/raboof/sbt-reproducible-builds) adds:
-
-|key|meaning|
-|-|-|
-|sbt.version|Version of sbt used to build the software|
-|scala.version|Version of Scala used to build the software|
-
-A buildinfo file can contain checksums for multiple files, for example for the
-main jar and the accompanying pom.xml:
-
-|key|meaning|
-|-|-|
-|files.0.filename|Filename of the first file|
-|files.0.length|Length of the first file|
-|files.0.checksums.sha256|SHA-256 Checksum of the first file|
-|files.1.filename|Filename of the second file|
-|files.1.|Etc.|
+In the JVM ecosystem it is common to distribute libraries as binary (bytecode)
+jars uploaded to a repository like [Maven Central](https://search.maven.org/)
+or
+[Google's Android Repository](https://dl.google.com/dl/android/maven2/index.html).
+
+It is recommended that the buildinfo describing the build environment used for
+that official build is published alongside each artifact. Third party
+attestations can be shared in a separate sig-repo. For a detailed overview of
+the conventions so far see the separate
+[JVM page]({{ "/docs/jvm/" | prepend: site.baseurl }}).
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/6ba3e560e927c07fe1de5181cbd34b5f7e54dd16...573dd7fa7d1375d2e89dd9235b3086fa58426711
--
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/compare/6ba3e560e927c07fe1de5181cbd34b5f7e54dd16...573dd7fa7d1375d2e89dd9235b3086fa58426711
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20181231/d501e1a6/attachment.html>
More information about the rb-commits
mailing list