[Git][reproducible-builds/reproducible-website][master] introduce Reproducible Central with its .buildspec

Hervé Boutemy (@herve.boutemy-guest) gitlab at salsa.debian.org
Sat Jun 12 19:54:11 UTC 2021 


Hervé Boutemy pushed to branch master at Reproducible Builds / reproducible-website


Commits:
300587e9 by Hervé Boutemy at 2021-06-12T19:54:09+00:00
introduce Reproducible Central with its .buildspec
- - - - -


1 changed file:

- _docs/jvm.md


Changes:

=====================================
_docs/jvm.md
=====================================
@@ -12,19 +12,46 @@ Since the JVM is not reproducible-friendly from the beginning
 -- jar/zip files are a first natural source of variation, with files order and timestamp --,
 each build tool requires some work to provide Reproducible Builds.
 
-## `.buildinfo` file
+## Reproducible Central
 
 Whatever the build tool is, binary JVM artifacts are generally published in artifact repositories
 that use the Maven2 repository format (using groupId/artifactId/version coordinates)
 like [Maven Central](https://search.maven.org/) or [Google's Android Repository](https://dl.google.com/dl/android/maven2/index.html).
 
-Being able to rebuild artifacts published in these repositories will require some information: where to get the sources from?
-Which build environment to setup to rebuild the artifacts?
+[Reproducible Central](https://github.com/jvm-repo-rebuild/reproducible-central#readme) is an effort to rebuild public releases published
+to [Maven Central](https://search.maven.org/) and check that Reproducible Build can be achieved.
+
+Contributions are welcome to write additional [`.buildspec` file](https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/BUILDSPEC.md)
+that will be used to rebuild the release and compare against binaries available in Maven Central.
+
+## Configuring Build Tools for Reproducible Builds
+
+### Maven
+
+Getting reproducible builds with Maven requires some plugins configuration: see
+[Maven - Guide to Configuring for Reproducible Builds](https://maven.apache.org/guides/mini/guide-reproducible-builds.html)
+for more details.
+
+### Gradle
+
+Gradle supports [reproducible archives](https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives) as of v3.4
+
+Tasks which generate archives, such as ZIPs or JARs, can enforce preserved file timestamps and reproducible file order which fix two of the main sources of non-determinism in JVM artifacts.
+
+### `sbt`
+
+When using [sbt](https://www.scala-sbt.org/), a build tool popular with Scala projects, you can use the
+[sbt-reproducible-builds](https://github.com/raboof/sbt-reproducible-builds) plugin to strip your artifacts and share buildinfo information.
 
-This is the purpose of JVM Buildinfo files: they are expected to be published alongside artifacts
-as separate `${artifactId}-${version}.buildinfo` file, with content in
-[Java properties format](https://en.wikipedia.org/wiki/.properties):
+## `.buildinfo` file
+
+JVM `.buildinfo` file format is a format drafted in 2018 when working initially on Reproducible Builds for the JVM, to try to record
+full build info data, from source and environment used to rebuild to output result: its intent was to easily compare 2 builds run by independant people.
+
+After 3 years of work on Reproducible Builds, it has been found more useful as an internal file format: Reproducible Central and its
+`.buildspec` format is more what we need to check that Reproducible Builds results has been achieved. `.buildinfo` just records a build, be it reproducible or not.
 
+Buildinfo file format version 1.0-SNAPSHOT is kept here for reference on past work. It uses [Java properties format](https://en.wikipedia.org/wiki/.properties):
 
 ```
 #### Work In Progress ####
@@ -79,66 +106,3 @@ Notice that `${artifactId}-${version}-sources.jar` files published in Maven repo
 Source tarballs, intended for building, are not always published in repositories but only sometimes, with 2 classical naming conventions:
 - `${artifactId}-${version}-source-release.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:source-release))
 - `${artifactId}-${version}-src.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:src))
-
-## Auditing a Build
-
-Builds that are publishing a Buildinfo file are expected to be reproducible and the Buildinfo
-file is expected to contain everything required to rebuild and get the same output:
-if you find a Buildinfo file that is not sufficient to rebuild or you don't get the same result,
-please get in contact with the project to help improve reproducibility.
-
-Without Buildinfo file, as explained on top of this page, by default, jars  found in public repositories probably won't be reproducible.
-But you can try to rebuild them and measure how much they are not reproducible:
-
-1. download the jar from a public repository,
-2. determine which major version of JDK was used to produce it: usually, the full Java version is found in `META-INF/MANIFEST.MF` by running `unzip -p xxx.jar META-INF/MANIFEST.MF`
-3. find sources and build instructions on originating project site
-4. rebuild with a JDK of the same major version than the version found on step 2
-4. examine the differences using [diffoscope](https://diffoscope.org/)
-
-Usually, you'll find a few files that are different, in addition to zip content timestamp and order.
-Notice that if you didn't use the same JDK major version, you'll see many differences in .class files.
-
-Improving the build to get reproducible builds will then be specific to each build tool.
-You may discuss issues and fixes on the [Reproducible Builds mailing list]({{ "/docs/contribute/" | relative_url }}).
-
-## Reproducible Builds for Maven
-
-Getting reproducible builds with Maven requires some plugins configuration: see
-[Maven - Guide to Configuring for Reproducible Builds](https://maven.apache.org/guides/mini/guide-reproducible-builds.html)
-for more details.
-
-Work is in progress also with [maven-buildinfo-plugin](https://github.com/apache/maven-studies/tree/maven-buildinfo-plugin)
-to easily provide Buildinfo files once a build has been made reproducible.
-
-### source release archive
-To create a source release archive, see [Apache Source Release Assembly Descriptor](https://maven.apache.org/apache-resource-bundles/#Source_Release_Assembly_Descriptor)
-that is commonly used. Nothing prevents you to create your own assembly descriptor or even use another plugin: don't hesitate to share recipes.
-
-### rebuild arguments
-A rebuilder does not need to execute integration tests or even unit tests, may even skip compiling unit tests.
-Classical arguments contain following patterns:
-- `package` phase: no need to `deploy` or even `install`
-- `-Dmaven.test.skip`: avoid running tests and even compiling tests
-- `-DskipTests`: avoid running tests, but still builds (necessary for some projects)
-- `-Dgpg.skip`: avoid PGP signing
-- `-Papache-release` or any release profile: activate release-specific tasks used by `maven-release-plugin`
-- `-Dline.separator=$'\r\n'`: define Windows line endings from an Unix environment
-
-### multi-module build
-For multi-module builds, each produced artifact will have its
-own buildinfo file with `mvn.build-root` property defined, to know the root from which the
-rebuild must happen.
-
-## Reproducible Builds for Gradle
-
-Gradle supports [reproducible archives](https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives) as of v3.4
-
-Tasks which generate archives, such as ZIPs or JARs, can enforce preserved file timestamps and reproducible file order which fix two of the main sources of non-determinism in JVM artifacts.
-
-## Reproducible Builds for `sbt`
-
-When using [sbt](https://www.scala-sbt.org/), a build tool popular with Scala
-projects, you can use the
-[sbt-reproducible-builds](https://github.com/raboof/sbt-reproducible-builds)
-plugin to strip your artifacts and share buildinfo information.



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/300587e97d01ce154197f3b03653329252dfe376

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/300587e97d01ce154197f3b03653329252dfe376
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20210612/5ca56ae6/attachment.htm>

More information about the rb-commits mailing list