[rb-general] Checking Reproducible Build for a Maven project
Hans-Christoph Steiner
hans at guardianproject.info
Tue Dec 10 20:53:00 UTC 2019
After working with Maven and Bazel devs at the summit, I wanted to
follow up to keep the buildinfo work moving. I have buildinfo
generation working with gradle, and it is now working in Maven plugins.
I'd heard it was working with Bazel, but I haven't seen it yet.
The JARs produced with Maven and Gradle now only differ in the sort
order of files in the ZIP header. `mvn deploy` even pushes the
buildinfo file to the maven repo:
https://gitlab.com/eighthave/jtorctl/-/packages/59404
In this process, I found a small bug in maven archiver, which puts the
META-INF/ dir entry after the META-INF/MANIFEST.MF entry in the ZIP:
https://issues.apache.org/jira/browse/MSHARED-849
.hc
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the rb-general
mailing list