[rb-general] Reproducible Java builds with Maven

Arnout Engelen arnout at bzzt.net
Mon Nov 26 09:40:44 CET 2018 

On Mon, Nov 26, 2018 at 9:08 AM Hervé Boutemy <hboutemy at apache.org> wrote:
> A few years ago, the work on this started and I created a Wiki page [1] at
> Maven to try to consolidate efforts from many isolated people I met who were
> interested in the topic: this Wiki page did not attract many contributions nor
> even discussions on Maven mailing lists, I hope this thread at reproducible-
> builds will help convergence between efforts.

Thanks, I wasn't aware of this page.

> And one thing that worries me is the variability introduced by the JDK version
> used: this one is quite generic to Java, I don't know if there is currently a
> global strategy that we could reuse.

I don't think there is much to do except including the JDK version in
the Buildinfo.

> Anybody interested in working together?

Quite possibly! I do a lot of programming in Scala (another language
targeting the JVM),
and have been working on improving reproducibility there by
introducing a r-b plugin for
its sbt build system, sbt-reproducible-builds[1].

That uses the maven plugin you mentioned[2] as a basis for
post-processing the artifact
(though I'm planning to extract the logic to a separate library). I
agree it would be good to
fix more things 'at the source', but (as you mentioned above) I
suspect some aspects such
as jar file generation will probably need post-processing for the
foreseeable future.

It also has some (crude, very incomplete) features for uploading
signed Buildinfo attestations
and comparing them with Buildinfo's uploaded by others.

This might be an area we could work together on: putting together the
conventions and
infrastructure to share Buildinfo attestations for JVM library
projects. In the JVM world
it is common to distribute libraries independently through
repositories such as Maven
Central, which might be a bit different from how Linux distributions
work. Starting on
that would be interesting. So far I've been using
sbt-reproducible-builds with a (very)
simple web service to collect Buildinfo's,
reproducible-builds-certification-repository[3].
Unfortunately my example server is currently not running so I can't
point to that
right now.


Kind regards,

Arnout

[1]: https://github.com/raboof/sbt-reproducible-builds
[2]: https://github.com/Zlika/reproducible-build-maven-plugin
[3]: http://github.com/raboof/reproducible-builds-certification-repository

More information about the rb-general mailing list