[rb-general] Reproducible Java builds with Maven

Hervé BOUTEMY herve.boutemy at free.fr
Mon Nov 26 23:39:06 CET 2018 

Yes, the Buildinfo seems an interesting part to work together.

I'm quite a noob on that, I'll need some pointers on basic info first.

Then it seems the way we look at this topic is quite different when you think 
as a Linux distribution manager or as a Java/Maven user publishing to Maven 
Central = what I'm looking first as Maven developer.

Should we start by defining a convention for anybody to publish a Buildinfo 
alongside his binary artifacts while publishing to Central?

Regards,

Hervé

Le lundi 26 novembre 2018, 09:40:44 CET Arnout Engelen a écrit :
> On Mon, Nov 26, 2018 at 9:08 AM Hervé Boutemy <hboutemy at apache.org> wrote:
> > A few years ago, the work on this started and I created a Wiki page [1] at
> > Maven to try to consolidate efforts from many isolated people I met who
> > were interested in the topic: this Wiki page did not attract many
> > contributions nor even discussions on Maven mailing lists, I hope this
> > thread at reproducible- builds will help convergence between efforts.
> 
> Thanks, I wasn't aware of this page.
> 
> > And one thing that worries me is the variability introduced by the JDK
> > version used: this one is quite generic to Java, I don't know if there is
> > currently a global strategy that we could reuse.
> 
> I don't think there is much to do except including the JDK version in
> the Buildinfo.
> 
> > Anybody interested in working together?
> 
> Quite possibly! I do a lot of programming in Scala (another language
> targeting the JVM),
> and have been working on improving reproducibility there by
> introducing a r-b plugin for
> its sbt build system, sbt-reproducible-builds[1].
> 
> That uses the maven plugin you mentioned[2] as a basis for
> post-processing the artifact
> (though I'm planning to extract the logic to a separate library). I
> agree it would be good to
> fix more things 'at the source', but (as you mentioned above) I
> suspect some aspects such
> as jar file generation will probably need post-processing for the
> foreseeable future.
> 
> It also has some (crude, very incomplete) features for uploading
> signed Buildinfo attestations
> and comparing them with Buildinfo's uploaded by others.
> 
> This might be an area we could work together on: putting together the
> conventions and
> infrastructure to share Buildinfo attestations for JVM library
> projects. In the JVM world
> it is common to distribute libraries independently through
> repositories such as Maven
> Central, which might be a bit different from how Linux distributions
> work. Starting on
> that would be interesting. So far I've been using
> sbt-reproducible-builds with a (very)
> simple web service to collect Buildinfo's,
> reproducible-builds-certification-repository[3].
> Unfortunately my example server is currently not running so I can't
> point to that
> right now.
> 
> 
> Kind regards,
> 
> Arnout
> 
> [1]: https://github.com/raboof/sbt-reproducible-builds
> [2]: https://github.com/Zlika/reproducible-build-maven-plugin
> [3]: http://github.com/raboof/reproducible-builds-certification-repository
> _______________________________________________
> rb-general at lists.reproducible-builds.org mailing list
> 
> To change your subscription options, visit
> https://lists.reproducible-builds.org/listinfo/rb-general.
> 
> To unsubscribe, send an email to
> rb-general-unsubscribe at lists.reproducible-builds.org.

More information about the rb-general mailing list