[rb-general] Reproducible Java builds with Maven

Arnout Engelen arnout at bzzt.net
Wed Dec 5 14:49:24 CET 2018 

On Tue, Nov 27, 2018 at 9:58 AM Hervé BOUTEMY <herve.boutemy at free.fr> wrote:
> Yes, the Buildinfo seems an interesting part to work together.
>
> I'm quite a noob on that, I'll need some pointers on basic info first.
>
> Should we start by defining a convention?

One thing to decide on would be what kind of file format to use.
rfc822 is a bit foreign outside of Debian. I have no particular love
for XML, JSON or YAML, to be quite honest. What would you think
about a good old '.properties' file? The only challenge there is to
encode the checksums, with is a 'list of objects' of sorts, but that
can be done quite easily with the '.n' convention.

It could look something like this:

----8<----
group_id=net.bzzt
artifact_id=simple_2.12
version=0.1.0-SNAPSHOT
build_architecture=all
source=net.bzzt:simple_2.12
binary=net.bzzt:simple_2.12
package=net.bzzt:simple_2.12
java.version=1.8.0_191
sbt.version=1.2.3
scala.version=2.12.7
scala.binary-version=2.12
checksums_sha256.0.filename=simple_2.12-0.1.0-SNAPSHOT.pom
checksums_sha256.0.length=783
checksums_sha256.0.checksum=9c2622cc15004a9376dc7f186d72b8c853333b6cd1a97787167cc4af3d963ace
checksums_sha256.1.filename=simple_2.12-0.1.0-SNAPSHOT.jar
checksums_sha256.1.length=2933
checksums_sha256.1.checksum=a24db1b57fda86f30f611d0395c63c20667b703ece288388ee82797df260a0a6
---->8----

What do you think? By including the group_id and
artifact_id in the buildinfo we will have to publish a
buildinfo per artifact, even for multi-jar builds - that
seems reasonable to me.


Arnout

> Le lundi 26 novembre 2018, 09:40:44 CET Arnout Engelen a écrit :
> > On Mon, Nov 26, 2018 at 9:08 AM Hervé Boutemy <hboutemy at apache.org> wrote:
> > > A few years ago, the work on this started and I created a Wiki page [1] at
> > > Maven to try to consolidate efforts from many isolated people I met who
> > > were interested in the topic: this Wiki page did not attract many
> > > contributions nor even discussions on Maven mailing lists, I hope this
> > > thread at reproducible- builds will help convergence between efforts.
> >
> > Thanks, I wasn't aware of this page.
> >
> > > And one thing that worries me is the variability introduced by the JDK
> > > version used: this one is quite generic to Java, I don't know if there is
> > > currently a global strategy that we could reuse.
> >
> > I don't think there is much to do except including the JDK version in
> > the Buildinfo.
> >
> > > Anybody interested in working together?
> >
> > Quite possibly! I do a lot of programming in Scala (another language
> > targeting the JVM),
> > and have been working on improving reproducibility there by
> > introducing a r-b plugin for
> > its sbt build system, sbt-reproducible-builds[1].
> >
> > That uses the maven plugin you mentioned[2] as a basis for
> > post-processing the artifact
> > (though I'm planning to extract the logic to a separate library). I
> > agree it would be good to
> > fix more things 'at the source', but (as you mentioned above) I
> > suspect some aspects such
> > as jar file generation will probably need post-processing for the
> > foreseeable future.
> >
> > It also has some (crude, very incomplete) features for uploading
> > signed Buildinfo attestations
> > and comparing them with Buildinfo's uploaded by others.
> >
> > This might be an area we could work together on: putting together the
> > conventions and
> > infrastructure to share Buildinfo attestations for JVM library
> > projects. In the JVM world
> > it is common to distribute libraries independently through
> > repositories such as Maven
> > Central, which might be a bit different from how Linux distributions
> > work. Starting on
> > that would be interesting. So far I've been using
> > sbt-reproducible-builds with a (very)
> > simple web service to collect Buildinfo's,
> > reproducible-builds-certification-repository[3].
> > Unfortunately my example server is currently not running so I can't
> > point to that
> > right now.
> >
> >
> > Kind regards,
> >
> > Arnout
> >
> > [1]: https://github.com/raboof/sbt-reproducible-builds
> > [2]: https://github.com/Zlika/reproducible-build-maven-plugin
> > [3]: http://github.com/raboof/reproducible-builds-certification-repository
> > _______________________________________________
> > rb-general at lists.reproducible-builds.org mailing list
> >
> > To change your subscription options, visit
> > https://lists.reproducible-builds.org/listinfo/rb-general.
> >
> > To unsubscribe, send an email to
> > rb-general-unsubscribe at lists.reproducible-builds.org.
>
>
>
>
> _______________________________________________
> rb-general at lists.reproducible-builds.org mailing list
>
> To change your subscription options, visit https://lists.reproducible-builds.org/listinfo/rb-general.
>
> To unsubscribe, send an email to rb-general-unsubscribe at lists.reproducible-builds.org.

More information about the rb-general mailing list