[rb-general] Checking Reproducible Build for a Maven project
Hans-Christoph Steiner
hans at guardianproject.info
Wed Dec 18 22:25:44 UTC 2019
More progress! The jtorctl library that we hacked on in Marrakesh is
now published using Maven with a .buildinfo file:
https://repo1.maven.org/maven2/info/guardianproject/jtorctl/0.4/
.hc
Hans-Christoph Steiner:
>
> After working with Maven and Bazel devs at the summit, I wanted to
> follow up to keep the buildinfo work moving. I have buildinfo
> generation working with gradle, and it is now working in Maven plugins.
> I'd heard it was working with Bazel, but I haven't seen it yet.
>
> The JARs produced with Maven and Gradle now only differ in the sort
> order of files in the ZIP header. `mvn deploy` even pushes the
> buildinfo file to the maven repo:
> https://gitlab.com/eighthave/jtorctl/-/packages/59404
>
> In this process, I found a small bug in maven archiver, which puts the
> META-INF/ dir entry after the META-INF/MANIFEST.MF entry in the ZIP:
> https://issues.apache.org/jira/browse/MSHARED-849
>
> .hc
>
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the rb-general
mailing list